mirror of
https://github.com/weechat/weechat.git
synced 2026-07-08 02:33:12 +02:00
irc: evaluate content of server option "ssl_fingerprint" (closes #858)
This commit is contained in:
@@ -4056,8 +4056,8 @@ irc_server_gnutls_callback (const void *pointer, void *data,
|
||||
gnutls_datum_t filedatum;
|
||||
unsigned int i, cert_list_len, status;
|
||||
time_t cert_time;
|
||||
char *cert_path0, *cert_path1, *cert_path2, *cert_str;
|
||||
const char *weechat_dir, *fingerprint;
|
||||
char *cert_path0, *cert_path1, *cert_path2, *cert_str, *fingerprint_eval;
|
||||
const char *weechat_dir, *ptr_fingerprint;
|
||||
int rc, ret, fingerprint_match, hostname_match, cert_temp_init;
|
||||
#if LIBGNUTLS_VERSION_NUMBER >= 0x010706 /* 1.7.6 */
|
||||
gnutls_datum_t cinfo;
|
||||
@@ -4080,6 +4080,7 @@ irc_server_gnutls_callback (const void *pointer, void *data,
|
||||
cert_temp_init = 0;
|
||||
cert_list = NULL;
|
||||
cert_list_len = 0;
|
||||
fingerprint_eval = NULL;
|
||||
|
||||
if (action == WEECHAT_HOOK_CONNECT_GNUTLS_CB_VERIFY_CERT)
|
||||
{
|
||||
@@ -4106,11 +4107,13 @@ irc_server_gnutls_callback (const void *pointer, void *data,
|
||||
cert_temp_init = 1;
|
||||
|
||||
/* get fingerprint option in server */
|
||||
fingerprint = IRC_SERVER_OPTION_STRING (server,
|
||||
IRC_SERVER_OPTION_SSL_FINGERPRINT);
|
||||
ptr_fingerprint = IRC_SERVER_OPTION_STRING(server,
|
||||
IRC_SERVER_OPTION_SSL_FINGERPRINT);
|
||||
fingerprint_eval = weechat_string_eval_expression (ptr_fingerprint,
|
||||
NULL, NULL, NULL);
|
||||
|
||||
/* set match options */
|
||||
fingerprint_match = (fingerprint && fingerprint[0]) ? 0 : 1;
|
||||
fingerprint_match = (ptr_fingerprint && ptr_fingerprint[0]) ? 0 : 1;
|
||||
hostname_match = 0;
|
||||
|
||||
/* get the peer's raw certificate (chain) as sent by the peer */
|
||||
@@ -4143,10 +4146,10 @@ irc_server_gnutls_callback (const void *pointer, void *data,
|
||||
if (i == 0)
|
||||
{
|
||||
/* check if fingerprint matches the first certificate */
|
||||
if (fingerprint && fingerprint[0])
|
||||
if (fingerprint_eval && fingerprint_eval[0])
|
||||
{
|
||||
fingerprint_match = irc_server_check_certificate_fingerprint (
|
||||
server, cert_temp, fingerprint);
|
||||
server, cert_temp, fingerprint_eval);
|
||||
}
|
||||
/* check if hostname matches in the first certificate */
|
||||
if (gnutls_x509_crt_check_hostname (cert_temp,
|
||||
@@ -4178,7 +4181,7 @@ irc_server_gnutls_callback (const void *pointer, void *data,
|
||||
}
|
||||
#endif /* LIBGNUTLS_VERSION_NUMBER >= 0x010706 */
|
||||
/* check dates, only if fingerprint is not set */
|
||||
if (!fingerprint || !fingerprint[0])
|
||||
if (!ptr_fingerprint || !ptr_fingerprint[0])
|
||||
{
|
||||
/* check expiration date */
|
||||
cert_time = gnutls_x509_crt_get_expiration_time (cert_temp);
|
||||
@@ -4207,7 +4210,7 @@ irc_server_gnutls_callback (const void *pointer, void *data,
|
||||
* if fingerprint is set, display if matches, and don't check
|
||||
* anything else
|
||||
*/
|
||||
if (fingerprint && fingerprint[0])
|
||||
if (ptr_fingerprint && ptr_fingerprint[0])
|
||||
{
|
||||
if (fingerprint_match)
|
||||
{
|
||||
@@ -4409,6 +4412,9 @@ end:
|
||||
if (cert_temp_init)
|
||||
gnutls_x509_crt_deinit (cert_temp);
|
||||
|
||||
if (fingerprint_eval)
|
||||
free (fingerprint_eval);
|
||||
|
||||
return rc;
|
||||
}
|
||||
#endif /* HAVE_GNUTLS */
|
||||
|
||||
Reference in New Issue
Block a user