Use the stronger certificate fingerprint.
If a cert has a SHA256 use that one and only use SHA1 as fallback. Closes: https://github.com/profanity-im/profanity/issues/2068 Signed-off-by: Steffen Jaeckel <s@jaeckel.eu>
This commit is contained in:
@@ -292,11 +292,11 @@ cmd_tls_trust(ProfWin* window, const char* const command, gchar** args)
|
|||||||
}
|
}
|
||||||
cafile_add(cert);
|
cafile_add(cert);
|
||||||
if (tlscerts_exists(cert)) {
|
if (tlscerts_exists(cert)) {
|
||||||
cons_show("Certificate %s already trusted.", cert->fingerprint_sha1);
|
cons_show("Certificate %s already trusted.", cert->fingerprint);
|
||||||
tlscerts_free(cert);
|
tlscerts_free(cert);
|
||||||
return TRUE;
|
return TRUE;
|
||||||
}
|
}
|
||||||
cons_show("Adding %s to trusted certificates.", cert->fingerprint_sha1);
|
cons_show("Adding %s to trusted certificates.", cert->fingerprint);
|
||||||
tlscerts_add(cert);
|
tlscerts_add(cert);
|
||||||
tlscerts_free(cert);
|
tlscerts_free(cert);
|
||||||
return TRUE;
|
return TRUE;
|
||||||
|
|||||||
@@ -61,7 +61,7 @@ void
|
|||||||
cafile_add(const TLSCertificate* cert)
|
cafile_add(const TLSCertificate* cert)
|
||||||
{
|
{
|
||||||
if (!cert->pem) {
|
if (!cert->pem) {
|
||||||
log_error("[CAfile] can't store cert with fingerprint %s: PEM is empty", cert->fingerprint_sha1);
|
log_error("[CAfile] can't store cert with fingerprint %s: PEM is empty", cert->fingerprint);
|
||||||
return;
|
return;
|
||||||
}
|
}
|
||||||
auto_gchar gchar* cafile = _cafile_name();
|
auto_gchar gchar* cafile = _cafile_name();
|
||||||
@@ -76,13 +76,17 @@ cafile_add(const TLSCertificate* cert)
|
|||||||
log_error("[CAfile] could not read from %s: %s", cafile, PROF_GERROR_MESSAGE(glib_error));
|
log_error("[CAfile] could not read from %s: %s", cafile, PROF_GERROR_MESSAGE(glib_error));
|
||||||
return;
|
return;
|
||||||
}
|
}
|
||||||
|
if (strstr(contents, cert->fingerprint)) {
|
||||||
|
log_debug("[CAfile] fingerprint %s already stored", cert->fingerprint);
|
||||||
|
return;
|
||||||
|
}
|
||||||
if (strstr(contents, cert->fingerprint_sha1)) {
|
if (strstr(contents, cert->fingerprint_sha1)) {
|
||||||
log_debug("[CAfile] fingerprint %s already stored", cert->fingerprint_sha1);
|
log_debug("[CAfile] fingerprint %s already stored", cert->fingerprint_sha1);
|
||||||
return;
|
return;
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
const char* header = "# Profanity CAfile\n# DO NOT EDIT - this file is automatically generated";
|
const char* header = "# Profanity CAfile\n# DO NOT EDIT - this file is automatically generated";
|
||||||
new_contents = g_strdup_printf("%s\n\n# %s\n%s", contents ? contents : header, cert->fingerprint_sha1, cert->pem);
|
new_contents = g_strdup_printf("%s\n# %s\n%s", contents ? contents : header, cert->fingerprint, cert->pem);
|
||||||
if (!g_file_set_contents(cafile, new_contents, -1, &glib_error))
|
if (!g_file_set_contents(cafile, new_contents, -1, &glib_error))
|
||||||
log_error("[CAfile] could not write to %s: %s", cafile, PROF_GERROR_MESSAGE(glib_error));
|
log_error("[CAfile] could not write to %s: %s", cafile, PROF_GERROR_MESSAGE(glib_error));
|
||||||
}
|
}
|
||||||
|
|||||||
@@ -95,13 +95,13 @@ tlscerts_set_current(const TLSCertificate* cert)
|
|||||||
if (current_fp) {
|
if (current_fp) {
|
||||||
free(current_fp);
|
free(current_fp);
|
||||||
}
|
}
|
||||||
current_fp = strdup(cert->fingerprint_sha1);
|
current_fp = strdup(cert->fingerprint);
|
||||||
}
|
}
|
||||||
|
|
||||||
gboolean
|
gboolean
|
||||||
tlscerts_current_fingerprint_equals(const TLSCertificate* cert)
|
tlscerts_current_fingerprint_equals(const TLSCertificate* cert)
|
||||||
{
|
{
|
||||||
return g_strcmp0(current_fp, cert->fingerprint_sha1) == 0;
|
return g_strcmp0(current_fp, cert->fingerprint) == 0;
|
||||||
}
|
}
|
||||||
|
|
||||||
void
|
void
|
||||||
@@ -116,7 +116,7 @@ tlscerts_clear_current(void)
|
|||||||
gboolean
|
gboolean
|
||||||
tlscerts_exists(const TLSCertificate* cert)
|
tlscerts_exists(const TLSCertificate* cert)
|
||||||
{
|
{
|
||||||
return g_key_file_has_group(tlscerts, cert->fingerprint_sha1);
|
return g_key_file_has_group(tlscerts, cert->fingerprint);
|
||||||
}
|
}
|
||||||
|
|
||||||
GList*
|
GList*
|
||||||
@@ -154,11 +154,15 @@ tlscerts_new(const char* fingerprint_sha1, int version, const char* serialnumber
|
|||||||
{
|
{
|
||||||
TLSCertificate* cert = calloc(1, sizeof(TLSCertificate));
|
TLSCertificate* cert = calloc(1, sizeof(TLSCertificate));
|
||||||
|
|
||||||
if (fingerprint_sha1) {
|
|
||||||
cert->fingerprint_sha1 = strdup(fingerprint_sha1);
|
|
||||||
}
|
|
||||||
if (fingerprint_sha256) {
|
if (fingerprint_sha256) {
|
||||||
cert->fingerprint_sha256 = strdup(fingerprint_sha256);
|
cert->fingerprint_sha256 = strdup(fingerprint_sha256);
|
||||||
|
cert->fingerprint = cert->fingerprint_sha256;
|
||||||
|
}
|
||||||
|
if (fingerprint_sha1) {
|
||||||
|
cert->fingerprint_sha1 = strdup(fingerprint_sha1);
|
||||||
|
if (!cert->fingerprint) {
|
||||||
|
cert->fingerprint = cert->fingerprint_sha1;
|
||||||
|
}
|
||||||
}
|
}
|
||||||
cert->version = version;
|
cert->version = version;
|
||||||
if (serialnumber) {
|
if (serialnumber) {
|
||||||
@@ -261,33 +265,33 @@ tlscerts_add(const TLSCertificate* cert)
|
|||||||
return;
|
return;
|
||||||
}
|
}
|
||||||
|
|
||||||
if (!cert->fingerprint_sha1) {
|
if (!cert->fingerprint) {
|
||||||
return;
|
return;
|
||||||
}
|
}
|
||||||
|
|
||||||
autocomplete_add(certs_ac, cert->fingerprint_sha1);
|
autocomplete_add(certs_ac, cert->fingerprint);
|
||||||
|
|
||||||
g_key_file_set_integer(tlscerts, cert->fingerprint_sha1, "version", cert->version);
|
g_key_file_set_integer(tlscerts, cert->fingerprint, "version", cert->version);
|
||||||
if (cert->serialnumber) {
|
if (cert->serialnumber) {
|
||||||
g_key_file_set_string(tlscerts, cert->fingerprint_sha1, "serialnumber", cert->serialnumber);
|
g_key_file_set_string(tlscerts, cert->fingerprint, "serialnumber", cert->serialnumber);
|
||||||
}
|
}
|
||||||
if (cert->subjectname) {
|
if (cert->subjectname) {
|
||||||
g_key_file_set_string(tlscerts, cert->fingerprint_sha1, "subjectname", cert->subjectname);
|
g_key_file_set_string(tlscerts, cert->fingerprint, "subjectname", cert->subjectname);
|
||||||
}
|
}
|
||||||
if (cert->issuername) {
|
if (cert->issuername) {
|
||||||
g_key_file_set_string(tlscerts, cert->fingerprint_sha1, "issuername", cert->issuername);
|
g_key_file_set_string(tlscerts, cert->fingerprint, "issuername", cert->issuername);
|
||||||
}
|
}
|
||||||
if (cert->notbefore) {
|
if (cert->notbefore) {
|
||||||
g_key_file_set_string(tlscerts, cert->fingerprint_sha1, "start", cert->notbefore);
|
g_key_file_set_string(tlscerts, cert->fingerprint, "start", cert->notbefore);
|
||||||
}
|
}
|
||||||
if (cert->notafter) {
|
if (cert->notafter) {
|
||||||
g_key_file_set_string(tlscerts, cert->fingerprint_sha1, "end", cert->notafter);
|
g_key_file_set_string(tlscerts, cert->fingerprint, "end", cert->notafter);
|
||||||
}
|
}
|
||||||
if (cert->key_alg) {
|
if (cert->key_alg) {
|
||||||
g_key_file_set_string(tlscerts, cert->fingerprint_sha1, "keyalg", cert->key_alg);
|
g_key_file_set_string(tlscerts, cert->fingerprint, "keyalg", cert->key_alg);
|
||||||
}
|
}
|
||||||
if (cert->signature_alg) {
|
if (cert->signature_alg) {
|
||||||
g_key_file_set_string(tlscerts, cert->fingerprint_sha1, "signaturealg", cert->signature_alg);
|
g_key_file_set_string(tlscerts, cert->fingerprint, "signaturealg", cert->signature_alg);
|
||||||
}
|
}
|
||||||
|
|
||||||
_save_tlscerts();
|
_save_tlscerts();
|
||||||
|
|||||||
@@ -41,6 +41,7 @@
|
|||||||
typedef struct tls_cert_t
|
typedef struct tls_cert_t
|
||||||
{
|
{
|
||||||
int version;
|
int version;
|
||||||
|
const char* fingerprint;
|
||||||
char* serialnumber;
|
char* serialnumber;
|
||||||
char* subjectname;
|
char* subjectname;
|
||||||
char* subject_country;
|
char* subject_country;
|
||||||
|
|||||||
@@ -1197,7 +1197,7 @@ sv_ev_certfail(const char* const errormsg, const TLSCertificate* cert)
|
|||||||
tlscerts_set_current(cert);
|
tlscerts_set_current(cert);
|
||||||
return 1;
|
return 1;
|
||||||
} else if (g_strcmp0(cmd, "/tls always") == 0) {
|
} else if (g_strcmp0(cmd, "/tls always") == 0) {
|
||||||
cons_show("Adding %s to trusted certificates.", cert->fingerprint_sha1);
|
cons_show("Adding %s to trusted certificates.", cert->fingerprint);
|
||||||
if (!tlscerts_exists(cert)) {
|
if (!tlscerts_exists(cert)) {
|
||||||
tlscerts_add(cert);
|
tlscerts_add(cert);
|
||||||
cafile_add(cert);
|
cafile_add(cert);
|
||||||
|
|||||||
@@ -187,7 +187,7 @@ cons_show_tlscert_summary(const TLSCertificate* cert)
|
|||||||
|
|
||||||
cons_show("Subject : %s", cert->subject_commonname);
|
cons_show("Subject : %s", cert->subject_commonname);
|
||||||
cons_show("Issuer : %s", cert->issuer_commonname);
|
cons_show("Issuer : %s", cert->issuer_commonname);
|
||||||
cons_show("Fingerprint : %s", cert->fingerprint_sha1);
|
cons_show("Fingerprint : %s", cert->fingerprint);
|
||||||
}
|
}
|
||||||
|
|
||||||
void
|
void
|
||||||
|
|||||||
Reference in New Issue
Block a user