From 710247891cdfd4e66ee6d1715e93626def6871f1 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?S=C3=A9bastien=20Helleu?= Date: Sun, 13 Mar 2022 20:20:03 +0100 Subject: [PATCH] core: set again TLS verification functions after GnuTLS options are changed (issue #1763) When changing the options weechat.network.gnutls_ca_system or weechat.network.gnutls_ca_user, the GnuTLS credentials are freed then allocated again, but the verification function used to check the certificate on connection is not set again. As a consequence, any TLS connection is made without checking the certificate. This regression was introduced in version 3.2, when the options were changed to automatically load system certificates without having to give the path, and to let user give an extra custom path with certificates. --- ChangeLog.adoc | 7 +++++++ src/core/wee-network.c | 38 +++++++++++++++++++++++--------------- 2 files changed, 30 insertions(+), 15 deletions(-) diff --git a/ChangeLog.adoc b/ChangeLog.adoc index d4015d932..22a2f1657 100644 --- a/ChangeLog.adoc +++ b/ChangeLog.adoc @@ -15,6 +15,13 @@ https://weechat.org/files/releasenotes/ReleaseNotes-devel.html[release notes] (file _ReleaseNotes.adoc_ in sources). +[[v3.4.1]] +== Version 3.4.1 (under dev) + +Bug fixes:: + + * core: set again TLS verification functions after options weechat.network.gnutls_ca_system and weechat.network.gnutls_ca_user are changed (issue #1763) + [[v3.4]] == Version 3.4 (2021-12-18) diff --git a/src/core/wee-network.c b/src/core/wee-network.c index 8e235c983..ac142bb02 100644 --- a/src/core/wee-network.c +++ b/src/core/wee-network.c @@ -91,6 +91,27 @@ network_init_gcrypt () gcry_control (GCRYCTL_INITIALIZATION_FINISHED, 0); } +/* + * Allocates credentials structure. + */ + +void +network_allocate_credentials () +{ + gnutls_certificate_allocate_credentials (&gnutls_xcred); +#if LIBGNUTLS_VERSION_NUMBER >= 0x02090a /* 2.9.10 */ + gnutls_certificate_set_verify_function (gnutls_xcred, + &hook_connect_gnutls_verify_certificates); +#endif /* LIBGNUTLS_VERSION_NUMBER >= 0x02090a */ +#if LIBGNUTLS_VERSION_NUMBER >= 0x020b00 /* 2.11.0 */ + gnutls_certificate_set_retrieve_function (gnutls_xcred, + &hook_connect_gnutls_set_certificates); +#else + gnutls_certificate_client_set_retrieve_function (gnutls_xcred, + &hook_connect_gnutls_set_certificates); +#endif /* LIBGNUTLS_VERSION_NUMBER >= 0x020b00 */ +} + /* * Loads system's default trusted certificate authorities. * @@ -259,9 +280,7 @@ network_reload_ca_files (int force_display) network_num_certs), network_num_certs); } - - gnutls_certificate_allocate_credentials (&gnutls_xcred); - + network_allocate_credentials (); network_load_ca_files (force_display); } @@ -275,19 +294,8 @@ network_init_gnutls () if (!weechat_no_gnutls) { gnutls_global_init (); - gnutls_certificate_allocate_credentials (&gnutls_xcred); + network_allocate_credentials (); network_load_ca_files (0); -#if LIBGNUTLS_VERSION_NUMBER >= 0x02090a /* 2.9.10 */ - gnutls_certificate_set_verify_function (gnutls_xcred, - &hook_connect_gnutls_verify_certificates); -#endif /* LIBGNUTLS_VERSION_NUMBER >= 0x02090a */ -#if LIBGNUTLS_VERSION_NUMBER >= 0x020b00 /* 2.11.0 */ - gnutls_certificate_set_retrieve_function (gnutls_xcred, - &hook_connect_gnutls_set_certificates); -#else - gnutls_certificate_client_set_retrieve_function (gnutls_xcred, - &hook_connect_gnutls_set_certificates); -#endif /* LIBGNUTLS_VERSION_NUMBER >= 0x020b00 */ } network_init_gnutls_ok = 1;