1
0
mirror of https://github.com/profanity-im/profanity.git synced 2024-12-04 14:46:46 -05:00

Store trusted TLS cert fingerprints

This commit is contained in:
James Booth 2015-09-22 22:44:18 +01:00
parent 9a53854a1d
commit b88885aaae
4 changed files with 99 additions and 3 deletions

View File

@ -192,12 +192,14 @@ static struct cmd_t command_defs[] =
CMD_TAG_CONNECTION) CMD_TAG_CONNECTION)
CMD_SYN( CMD_SYN(
"/tls allow", "/tls allow",
"/tls always",
"/tls deny") "/tls deny")
CMD_DESC( CMD_DESC(
"Handle TLS certificates. ") "Handle TLS certificates. ")
CMD_ARGS( CMD_ARGS(
{ "allow", "Allow connection using invalid TLS certificate." }, { "allow", "Allow connection to continue with an invalid TLS certificate." },
{ "deny", "Allow connection using invalid TLS certificate." }) { "always", "Always allow connections with this invalid TLS certificate." },
{ "deny", "Terminate TLS connection." })
CMD_NOEXAMPLES CMD_NOEXAMPLES
}, },
@ -2088,6 +2090,7 @@ cmd_init(void)
tls_ac = autocomplete_new(); tls_ac = autocomplete_new();
autocomplete_add(tls_ac, "allow"); autocomplete_add(tls_ac, "allow");
autocomplete_add(tls_ac, "always");
autocomplete_add(tls_ac, "deny"); autocomplete_add(tls_ac, "deny");
} }

View File

@ -430,6 +430,80 @@ prefs_set_pgp_char(char ch)
_save_prefs(); _save_prefs();
} }
GList *
prefs_get_trusted_certs(void)
{
gsize length;
GList *fp_list = NULL;
gchar **fps = g_key_file_get_string_list(prefs, PREF_GROUP_CONNECTION, "certs", &length, NULL);
if (fps) {
int i = 0;
for (i = 0; i < length; i++) {
fp_list = g_list_append(fp_list, strdup(fps[i]));
}
g_strfreev(fps);
return fp_list;
} else {
return NULL;
}
}
void
prefs_free_trusted_certs(GList *certs)
{
if (certs) {
g_list_free_full(certs, free);
}
}
void
prefs_add_trusted_cert(const char * const fp)
{
gsize length;
gchar **list = g_key_file_get_string_list(prefs, PREF_GROUP_CONNECTION, "certs", &length, NULL);
GList *glist = NULL;
// list found
if (list) {
int i = 0;
for (i = 0; i < length; i++) {
// item already in list, exit function
if (strcmp(list[i], fp) == 0) {
g_list_free_full(glist, g_free);
g_strfreev(list);
return;
}
// add item to our g_list
glist = g_list_append(glist, strdup(list[i]));
}
// item not found, add to our g_list
glist = g_list_append(glist, strdup(fp));
// create the new list entry
const gchar* new_list[g_list_length(glist)+1];
GList *curr = glist;
i = 0;
while (curr) {
new_list[i++] = strdup(curr->data);
curr = g_list_next(curr);
}
new_list[i] = NULL;
g_key_file_set_string_list(prefs, PREF_GROUP_CONNECTION, "certs", new_list, g_list_length(glist));
// list not found
} else {
const gchar* new_list[2];
new_list[0] = strdup(fp);
new_list[1] = NULL;
g_key_file_set_string_list(prefs, PREF_GROUP_CONNECTION, "certs", new_list, 1);
}
g_strfreev(list);
g_list_free_full(glist, g_free);
_save_prefs();
}
gboolean gboolean
prefs_add_alias(const char * const name, const char * const value) prefs_add_alias(const char * const name, const char * const value)
{ {

View File

@ -162,4 +162,8 @@ char * prefs_get_string(preference_t pref);
void prefs_free_string(char *pref); void prefs_free_string(char *pref);
void prefs_set_string(preference_t pref, char *value); void prefs_set_string(preference_t pref, char *value);
GList* prefs_get_trusted_certs(void);
void prefs_free_trusted_certs(GList *certs);
void prefs_add_trusted_cert(const char * const fp);
#endif #endif

View File

@ -643,6 +643,13 @@ int
sv_ev_certfail(const char * const errormsg, const char * const certname, const char * const certfp, sv_ev_certfail(const char * const errormsg, const char * const certname, const char * const certfp,
const char * const notbefore, const char * const notafter) const char * const notbefore, const char * const notafter)
{ {
GList *trusted = prefs_get_trusted_certs();
if (g_list_find_custom(trusted, certfp, (GCompareFunc)g_strcmp0)) {
prefs_free_trusted_certs(trusted);
return 1;
}
prefs_free_trusted_certs(trusted);
cons_show(""); cons_show("");
cons_show_error("TLS certficiate verification failed: %s", errormsg); cons_show_error("TLS certficiate verification failed: %s", errormsg);
cons_show(" Issuer : %s", certname); cons_show(" Issuer : %s", certname);
@ -651,14 +658,18 @@ sv_ev_certfail(const char * const errormsg, const char * const certname, const c
cons_show(" End : %s", notafter); cons_show(" End : %s", notafter);
cons_show(""); cons_show("");
cons_show("Use '/tls allow' to accept this certificate"); cons_show("Use '/tls allow' to accept this certificate");
cons_show("Use '/tls always' to accept this certificate permanently");
cons_show("Use '/tls deny' to reject this certificate"); cons_show("Use '/tls deny' to reject this certificate");
cons_show(""); cons_show("");
ui_update(); ui_update();
char *cmd = ui_get_line(); char *cmd = ui_get_line();
while ((g_strcmp0(cmd, "/tls allow") != 0) && (g_strcmp0(cmd, "/tls deny") != 0)) { while ((g_strcmp0(cmd, "/tls allow") != 0)
&& (g_strcmp0(cmd, "/tls always") != 0)
&& (g_strcmp0(cmd, "/tls deny") != 0)) {
cons_show("Use '/tls allow' to accept this certificate"); cons_show("Use '/tls allow' to accept this certificate");
cons_show("Use '/tls always' to accept this certificate permanently");
cons_show("Use '/tls deny' to reject this certificate"); cons_show("Use '/tls deny' to reject this certificate");
cons_show(""); cons_show("");
ui_update(); ui_update();
@ -669,6 +680,10 @@ sv_ev_certfail(const char * const errormsg, const char * const certname, const c
if (g_strcmp0(cmd, "/tls allow") == 0) { if (g_strcmp0(cmd, "/tls allow") == 0) {
free(cmd); free(cmd);
return 1; return 1;
} else if (g_strcmp0(cmd, "/tls always") == 0) {
prefs_add_trusted_cert(certfp);
free(cmd);
return 1;
} else { } else {
free(cmd); free(cmd);
return 0; return 0;