Use the stronger certificate fingerprint.
If a cert has a SHA256 use that one and only use SHA1 as fallback. Closes: https://github.com/profanity-im/profanity/issues/2068 Signed-off-by: Steffen Jaeckel <s@jaeckel.eu>
This commit is contained in:
@@ -292,11 +292,11 @@ cmd_tls_trust(ProfWin* window, const char* const command, gchar** args)
|
||||
}
|
||||
cafile_add(cert);
|
||||
if (tlscerts_exists(cert)) {
|
||||
cons_show("Certificate %s already trusted.", cert->fingerprint_sha1);
|
||||
cons_show("Certificate %s already trusted.", cert->fingerprint);
|
||||
tlscerts_free(cert);
|
||||
return TRUE;
|
||||
}
|
||||
cons_show("Adding %s to trusted certificates.", cert->fingerprint_sha1);
|
||||
cons_show("Adding %s to trusted certificates.", cert->fingerprint);
|
||||
tlscerts_add(cert);
|
||||
tlscerts_free(cert);
|
||||
return TRUE;
|
||||
|
||||
@@ -61,7 +61,7 @@ void
|
||||
cafile_add(const TLSCertificate* cert)
|
||||
{
|
||||
if (!cert->pem) {
|
||||
log_error("[CAfile] can't store cert with fingerprint %s: PEM is empty", cert->fingerprint_sha1);
|
||||
log_error("[CAfile] can't store cert with fingerprint %s: PEM is empty", cert->fingerprint);
|
||||
return;
|
||||
}
|
||||
auto_gchar gchar* cafile = _cafile_name();
|
||||
@@ -76,13 +76,17 @@ cafile_add(const TLSCertificate* cert)
|
||||
log_error("[CAfile] could not read from %s: %s", cafile, PROF_GERROR_MESSAGE(glib_error));
|
||||
return;
|
||||
}
|
||||
if (strstr(contents, cert->fingerprint)) {
|
||||
log_debug("[CAfile] fingerprint %s already stored", cert->fingerprint);
|
||||
return;
|
||||
}
|
||||
if (strstr(contents, cert->fingerprint_sha1)) {
|
||||
log_debug("[CAfile] fingerprint %s already stored", cert->fingerprint_sha1);
|
||||
return;
|
||||
}
|
||||
}
|
||||
const char* header = "# Profanity CAfile\n# DO NOT EDIT - this file is automatically generated";
|
||||
new_contents = g_strdup_printf("%s\n\n# %s\n%s", contents ? contents : header, cert->fingerprint_sha1, cert->pem);
|
||||
new_contents = g_strdup_printf("%s\n# %s\n%s", contents ? contents : header, cert->fingerprint, cert->pem);
|
||||
if (!g_file_set_contents(cafile, new_contents, -1, &glib_error))
|
||||
log_error("[CAfile] could not write to %s: %s", cafile, PROF_GERROR_MESSAGE(glib_error));
|
||||
}
|
||||
|
||||
@@ -95,13 +95,13 @@ tlscerts_set_current(const TLSCertificate* cert)
|
||||
if (current_fp) {
|
||||
free(current_fp);
|
||||
}
|
||||
current_fp = strdup(cert->fingerprint_sha1);
|
||||
current_fp = strdup(cert->fingerprint);
|
||||
}
|
||||
|
||||
gboolean
|
||||
tlscerts_current_fingerprint_equals(const TLSCertificate* cert)
|
||||
{
|
||||
return g_strcmp0(current_fp, cert->fingerprint_sha1) == 0;
|
||||
return g_strcmp0(current_fp, cert->fingerprint) == 0;
|
||||
}
|
||||
|
||||
void
|
||||
@@ -116,7 +116,7 @@ tlscerts_clear_current(void)
|
||||
gboolean
|
||||
tlscerts_exists(const TLSCertificate* cert)
|
||||
{
|
||||
return g_key_file_has_group(tlscerts, cert->fingerprint_sha1);
|
||||
return g_key_file_has_group(tlscerts, cert->fingerprint);
|
||||
}
|
||||
|
||||
GList*
|
||||
@@ -154,11 +154,15 @@ tlscerts_new(const char* fingerprint_sha1, int version, const char* serialnumber
|
||||
{
|
||||
TLSCertificate* cert = calloc(1, sizeof(TLSCertificate));
|
||||
|
||||
if (fingerprint_sha1) {
|
||||
cert->fingerprint_sha1 = strdup(fingerprint_sha1);
|
||||
}
|
||||
if (fingerprint_sha256) {
|
||||
cert->fingerprint_sha256 = strdup(fingerprint_sha256);
|
||||
cert->fingerprint = cert->fingerprint_sha256;
|
||||
}
|
||||
if (fingerprint_sha1) {
|
||||
cert->fingerprint_sha1 = strdup(fingerprint_sha1);
|
||||
if (!cert->fingerprint) {
|
||||
cert->fingerprint = cert->fingerprint_sha1;
|
||||
}
|
||||
}
|
||||
cert->version = version;
|
||||
if (serialnumber) {
|
||||
@@ -261,33 +265,33 @@ tlscerts_add(const TLSCertificate* cert)
|
||||
return;
|
||||
}
|
||||
|
||||
if (!cert->fingerprint_sha1) {
|
||||
if (!cert->fingerprint) {
|
||||
return;
|
||||
}
|
||||
|
||||
autocomplete_add(certs_ac, cert->fingerprint_sha1);
|
||||
autocomplete_add(certs_ac, cert->fingerprint);
|
||||
|
||||
g_key_file_set_integer(tlscerts, cert->fingerprint_sha1, "version", cert->version);
|
||||
g_key_file_set_integer(tlscerts, cert->fingerprint, "version", cert->version);
|
||||
if (cert->serialnumber) {
|
||||
g_key_file_set_string(tlscerts, cert->fingerprint_sha1, "serialnumber", cert->serialnumber);
|
||||
g_key_file_set_string(tlscerts, cert->fingerprint, "serialnumber", cert->serialnumber);
|
||||
}
|
||||
if (cert->subjectname) {
|
||||
g_key_file_set_string(tlscerts, cert->fingerprint_sha1, "subjectname", cert->subjectname);
|
||||
g_key_file_set_string(tlscerts, cert->fingerprint, "subjectname", cert->subjectname);
|
||||
}
|
||||
if (cert->issuername) {
|
||||
g_key_file_set_string(tlscerts, cert->fingerprint_sha1, "issuername", cert->issuername);
|
||||
g_key_file_set_string(tlscerts, cert->fingerprint, "issuername", cert->issuername);
|
||||
}
|
||||
if (cert->notbefore) {
|
||||
g_key_file_set_string(tlscerts, cert->fingerprint_sha1, "start", cert->notbefore);
|
||||
g_key_file_set_string(tlscerts, cert->fingerprint, "start", cert->notbefore);
|
||||
}
|
||||
if (cert->notafter) {
|
||||
g_key_file_set_string(tlscerts, cert->fingerprint_sha1, "end", cert->notafter);
|
||||
g_key_file_set_string(tlscerts, cert->fingerprint, "end", cert->notafter);
|
||||
}
|
||||
if (cert->key_alg) {
|
||||
g_key_file_set_string(tlscerts, cert->fingerprint_sha1, "keyalg", cert->key_alg);
|
||||
g_key_file_set_string(tlscerts, cert->fingerprint, "keyalg", cert->key_alg);
|
||||
}
|
||||
if (cert->signature_alg) {
|
||||
g_key_file_set_string(tlscerts, cert->fingerprint_sha1, "signaturealg", cert->signature_alg);
|
||||
g_key_file_set_string(tlscerts, cert->fingerprint, "signaturealg", cert->signature_alg);
|
||||
}
|
||||
|
||||
_save_tlscerts();
|
||||
|
||||
@@ -41,6 +41,7 @@
|
||||
typedef struct tls_cert_t
|
||||
{
|
||||
int version;
|
||||
const char* fingerprint;
|
||||
char* serialnumber;
|
||||
char* subjectname;
|
||||
char* subject_country;
|
||||
|
||||
@@ -1197,7 +1197,7 @@ sv_ev_certfail(const char* const errormsg, const TLSCertificate* cert)
|
||||
tlscerts_set_current(cert);
|
||||
return 1;
|
||||
} else if (g_strcmp0(cmd, "/tls always") == 0) {
|
||||
cons_show("Adding %s to trusted certificates.", cert->fingerprint_sha1);
|
||||
cons_show("Adding %s to trusted certificates.", cert->fingerprint);
|
||||
if (!tlscerts_exists(cert)) {
|
||||
tlscerts_add(cert);
|
||||
cafile_add(cert);
|
||||
|
||||
@@ -187,7 +187,7 @@ cons_show_tlscert_summary(const TLSCertificate* cert)
|
||||
|
||||
cons_show("Subject : %s", cert->subject_commonname);
|
||||
cons_show("Issuer : %s", cert->issuer_commonname);
|
||||
cons_show("Fingerprint : %s", cert->fingerprint_sha1);
|
||||
cons_show("Fingerprint : %s", cert->fingerprint);
|
||||
}
|
||||
|
||||
void
|
||||
|
||||
Reference in New Issue
Block a user