Store trusted TLS cert fingerprints

2024-06-23 21:45:30 +00:00 · 2015-09-22 22:44:18 +01:00 · 2015-09-22 22:44:18 +01:00 · b88885aaae
commit b88885aaae
parent 9a53854a1d
4 changed files with 99 additions and 3 deletions
--- a/src/command/command.c
+++ b/src/command/command.c
@ -192,12 +192,14 @@ static struct cmd_t command_defs[] =
            CMD_TAG_CONNECTION)
        CMD_SYN(
            "/tls allow",
+            "/tls always",
            "/tls deny")
        CMD_DESC(
            "Handle TLS certificates. ")
        CMD_ARGS(
-            { "allow", "Allow connection using invalid TLS certificate." },
-            { "deny",  "Allow connection using invalid TLS certificate." })
+            { "allow",  "Allow connection to continue with an invalid TLS certificate." },
+            { "always", "Always allow connections with this invalid TLS certificate." },
+            { "deny",   "Terminate TLS connection." })
        CMD_NOEXAMPLES
    },

@ -2088,6 +2090,7 @@ cmd_init(void)

    tls_ac = autocomplete_new();
    autocomplete_add(tls_ac, "allow");
+    autocomplete_add(tls_ac, "always");
    autocomplete_add(tls_ac, "deny");
 }

--- a/src/config/preferences.c
+++ b/src/config/preferences.c
@ -430,6 +430,80 @@ prefs_set_pgp_char(char ch)
    _save_prefs();
 }

+GList *
+prefs_get_trusted_certs(void)
+{
+    gsize length;
+    GList *fp_list = NULL;
+    gchar **fps = g_key_file_get_string_list(prefs, PREF_GROUP_CONNECTION, "certs", &length, NULL);
+    if (fps) {
+        int i = 0;
+        for (i = 0; i < length; i++) {
+            fp_list = g_list_append(fp_list, strdup(fps[i]));
+        }
+        g_strfreev(fps);
+        return fp_list;
+    } else {
+        return NULL;
+    }
+}
+
+void
+prefs_free_trusted_certs(GList *certs)
+{
+    if (certs) {
+        g_list_free_full(certs, free);
+    }
+}
+
+void
+prefs_add_trusted_cert(const char * const fp)
+{
+    gsize length;
+    gchar **list = g_key_file_get_string_list(prefs, PREF_GROUP_CONNECTION, "certs", &length, NULL);
+    GList *glist = NULL;
+
+    // list found
+    if (list) {
+        int i = 0;
+        for (i = 0; i < length; i++) {
+            // item already in list, exit function
+            if (strcmp(list[i], fp) == 0) {
+                g_list_free_full(glist, g_free);
+                g_strfreev(list);
+                return;
+            }
+            // add item to our g_list
+            glist = g_list_append(glist, strdup(list[i]));
+        }
+
+        // item not found, add to our g_list
+        glist = g_list_append(glist, strdup(fp));
+
+        // create the new list entry
+        const gchar* new_list[g_list_length(glist)+1];
+        GList *curr = glist;
+        i = 0;
+        while (curr) {
+            new_list[i++] = strdup(curr->data);
+            curr = g_list_next(curr);
+        }
+        new_list[i] = NULL;
+        g_key_file_set_string_list(prefs, PREF_GROUP_CONNECTION, "certs", new_list, g_list_length(glist));
+
+    // list not found
+    } else {
+        const gchar* new_list[2];
+        new_list[0] = strdup(fp);
+        new_list[1] = NULL;
+        g_key_file_set_string_list(prefs, PREF_GROUP_CONNECTION, "certs", new_list, 1);
+    }
+
+    g_strfreev(list);
+    g_list_free_full(glist, g_free);
+    _save_prefs();
+}
+
 gboolean
 prefs_add_alias(const char * const name, const char * const value)
 {
--- a/src/config/preferences.h
+++ b/src/config/preferences.h
@ -162,4 +162,8 @@ char * prefs_get_string(preference_t pref);
 void prefs_free_string(char *pref);
 void prefs_set_string(preference_t pref, char *value);

+GList* prefs_get_trusted_certs(void);
+void prefs_free_trusted_certs(GList *certs);
+void prefs_add_trusted_cert(const char * const fp);
+
 #endif
--- a/src/event/server_events.c
+++ b/src/event/server_events.c
@ -643,6 +643,13 @@ int
 sv_ev_certfail(const char * const errormsg, const char * const certname, const char * const certfp,
    const char * const notbefore, const char * const notafter)
 {
+    GList *trusted = prefs_get_trusted_certs();
+    if (g_list_find_custom(trusted, certfp, (GCompareFunc)g_strcmp0)) {
+        prefs_free_trusted_certs(trusted);
+        return 1;
+    }
+    prefs_free_trusted_certs(trusted);
+
    cons_show("");
    cons_show_error("TLS certficiate verification failed: %s", errormsg);
    cons_show("  Issuer      : %s", certname);
@ -651,14 +658,18 @@ sv_ev_certfail(const char * const errormsg, const char * const certname, const c
    cons_show("  End         : %s", notafter);
    cons_show("");
    cons_show("Use '/tls allow' to accept this certificate");
+    cons_show("Use '/tls always' to accept this certificate permanently");
    cons_show("Use '/tls deny' to reject this certificate");
    cons_show("");
    ui_update();

    char *cmd = ui_get_line();

-    while ((g_strcmp0(cmd, "/tls allow") != 0) && (g_strcmp0(cmd, "/tls deny") != 0)) {
+    while ((g_strcmp0(cmd, "/tls allow") != 0)
+                && (g_strcmp0(cmd, "/tls always") != 0)
+                && (g_strcmp0(cmd, "/tls deny") != 0)) {
        cons_show("Use '/tls allow' to accept this certificate");
+        cons_show("Use '/tls always' to accept this certificate permanently");
        cons_show("Use '/tls deny' to reject this certificate");
        cons_show("");
        ui_update();
@ -669,6 +680,10 @@ sv_ev_certfail(const char * const errormsg, const char * const certname, const c
    if (g_strcmp0(cmd, "/tls allow") == 0) {
        free(cmd);
        return 1;
+    } else if (g_strcmp0(cmd, "/tls always") == 0) {
+        prefs_add_trusted_cert(certfp);
+        free(cmd);
+        return 1;
    } else {
        free(cmd);
        return 0;