Use the stronger certificate fingerprint.

If a cert has a SHA256 use that one and only use SHA1 as fallback.

Closes: https://github.com/profanity-im/profanity/issues/2068
Signed-off-by: Steffen Jaeckel <s@jaeckel.eu>
This commit is contained in:
Steffen Jaeckel
2025-11-04 17:46:48 +01:00
parent 0acea8d0d2
commit a07cff8a99
6 changed files with 31 additions and 22 deletions

View File

@@ -292,11 +292,11 @@ cmd_tls_trust(ProfWin* window, const char* const command, gchar** args)
}
cafile_add(cert);
if (tlscerts_exists(cert)) {
cons_show("Certificate %s already trusted.", cert->fingerprint_sha1);
cons_show("Certificate %s already trusted.", cert->fingerprint);
tlscerts_free(cert);
return TRUE;
}
cons_show("Adding %s to trusted certificates.", cert->fingerprint_sha1);
cons_show("Adding %s to trusted certificates.", cert->fingerprint);
tlscerts_add(cert);
tlscerts_free(cert);
return TRUE;

View File

@@ -61,7 +61,7 @@ void
cafile_add(const TLSCertificate* cert)
{
if (!cert->pem) {
log_error("[CAfile] can't store cert with fingerprint %s: PEM is empty", cert->fingerprint_sha1);
log_error("[CAfile] can't store cert with fingerprint %s: PEM is empty", cert->fingerprint);
return;
}
auto_gchar gchar* cafile = _cafile_name();
@@ -76,13 +76,17 @@ cafile_add(const TLSCertificate* cert)
log_error("[CAfile] could not read from %s: %s", cafile, PROF_GERROR_MESSAGE(glib_error));
return;
}
if (strstr(contents, cert->fingerprint)) {
log_debug("[CAfile] fingerprint %s already stored", cert->fingerprint);
return;
}
if (strstr(contents, cert->fingerprint_sha1)) {
log_debug("[CAfile] fingerprint %s already stored", cert->fingerprint_sha1);
return;
}
}
const char* header = "# Profanity CAfile\n# DO NOT EDIT - this file is automatically generated";
new_contents = g_strdup_printf("%s\n\n# %s\n%s", contents ? contents : header, cert->fingerprint_sha1, cert->pem);
new_contents = g_strdup_printf("%s\n# %s\n%s", contents ? contents : header, cert->fingerprint, cert->pem);
if (!g_file_set_contents(cafile, new_contents, -1, &glib_error))
log_error("[CAfile] could not write to %s: %s", cafile, PROF_GERROR_MESSAGE(glib_error));
}

View File

@@ -95,13 +95,13 @@ tlscerts_set_current(const TLSCertificate* cert)
if (current_fp) {
free(current_fp);
}
current_fp = strdup(cert->fingerprint_sha1);
current_fp = strdup(cert->fingerprint);
}
gboolean
tlscerts_current_fingerprint_equals(const TLSCertificate* cert)
{
return g_strcmp0(current_fp, cert->fingerprint_sha1) == 0;
return g_strcmp0(current_fp, cert->fingerprint) == 0;
}
void
@@ -116,7 +116,7 @@ tlscerts_clear_current(void)
gboolean
tlscerts_exists(const TLSCertificate* cert)
{
return g_key_file_has_group(tlscerts, cert->fingerprint_sha1);
return g_key_file_has_group(tlscerts, cert->fingerprint);
}
GList*
@@ -154,11 +154,15 @@ tlscerts_new(const char* fingerprint_sha1, int version, const char* serialnumber
{
TLSCertificate* cert = calloc(1, sizeof(TLSCertificate));
if (fingerprint_sha1) {
cert->fingerprint_sha1 = strdup(fingerprint_sha1);
}
if (fingerprint_sha256) {
cert->fingerprint_sha256 = strdup(fingerprint_sha256);
cert->fingerprint = cert->fingerprint_sha256;
}
if (fingerprint_sha1) {
cert->fingerprint_sha1 = strdup(fingerprint_sha1);
if (!cert->fingerprint) {
cert->fingerprint = cert->fingerprint_sha1;
}
}
cert->version = version;
if (serialnumber) {
@@ -261,33 +265,33 @@ tlscerts_add(const TLSCertificate* cert)
return;
}
if (!cert->fingerprint_sha1) {
if (!cert->fingerprint) {
return;
}
autocomplete_add(certs_ac, cert->fingerprint_sha1);
autocomplete_add(certs_ac, cert->fingerprint);
g_key_file_set_integer(tlscerts, cert->fingerprint_sha1, "version", cert->version);
g_key_file_set_integer(tlscerts, cert->fingerprint, "version", cert->version);
if (cert->serialnumber) {
g_key_file_set_string(tlscerts, cert->fingerprint_sha1, "serialnumber", cert->serialnumber);
g_key_file_set_string(tlscerts, cert->fingerprint, "serialnumber", cert->serialnumber);
}
if (cert->subjectname) {
g_key_file_set_string(tlscerts, cert->fingerprint_sha1, "subjectname", cert->subjectname);
g_key_file_set_string(tlscerts, cert->fingerprint, "subjectname", cert->subjectname);
}
if (cert->issuername) {
g_key_file_set_string(tlscerts, cert->fingerprint_sha1, "issuername", cert->issuername);
g_key_file_set_string(tlscerts, cert->fingerprint, "issuername", cert->issuername);
}
if (cert->notbefore) {
g_key_file_set_string(tlscerts, cert->fingerprint_sha1, "start", cert->notbefore);
g_key_file_set_string(tlscerts, cert->fingerprint, "start", cert->notbefore);
}
if (cert->notafter) {
g_key_file_set_string(tlscerts, cert->fingerprint_sha1, "end", cert->notafter);
g_key_file_set_string(tlscerts, cert->fingerprint, "end", cert->notafter);
}
if (cert->key_alg) {
g_key_file_set_string(tlscerts, cert->fingerprint_sha1, "keyalg", cert->key_alg);
g_key_file_set_string(tlscerts, cert->fingerprint, "keyalg", cert->key_alg);
}
if (cert->signature_alg) {
g_key_file_set_string(tlscerts, cert->fingerprint_sha1, "signaturealg", cert->signature_alg);
g_key_file_set_string(tlscerts, cert->fingerprint, "signaturealg", cert->signature_alg);
}
_save_tlscerts();

View File

@@ -41,6 +41,7 @@
typedef struct tls_cert_t
{
int version;
const char* fingerprint;
char* serialnumber;
char* subjectname;
char* subject_country;

View File

@@ -1197,7 +1197,7 @@ sv_ev_certfail(const char* const errormsg, const TLSCertificate* cert)
tlscerts_set_current(cert);
return 1;
} else if (g_strcmp0(cmd, "/tls always") == 0) {
cons_show("Adding %s to trusted certificates.", cert->fingerprint_sha1);
cons_show("Adding %s to trusted certificates.", cert->fingerprint);
if (!tlscerts_exists(cert)) {
tlscerts_add(cert);
cafile_add(cert);

View File

@@ -187,7 +187,7 @@ cons_show_tlscert_summary(const TLSCertificate* cert)
cons_show("Subject : %s", cert->subject_commonname);
cons_show("Issuer : %s", cert->issuer_commonname);
cons_show("Fingerprint : %s", cert->fingerprint_sha1);
cons_show("Fingerprint : %s", cert->fingerprint);
}
void