pidgin3: comparison libpurple/certificate.c

-:274575856b52
+:b3d0ba7c75f6
 			return _("An unknown certificate error occurred.");
 			break;
 	}
 }
+static void
+get_ascii_fingerprints (PurpleCertificate *crt, gchar **sha1, gchar **sha256)
+{
+	GByteArray *sha_bin;
+	if (sha1 != NULL) {
+		sha_bin = purple_certificate_get_fingerprint_sha1(crt);
+		*sha1 = purple_base16_encode_chunked(sha_bin->data, sha_bin->len);
+		g_byte_array_free(sha_bin, TRUE);
+	}
+	if (sha256 != NULL) {
+		sha_bin = purple_certificate_get_fingerprint_sha256(crt, FALSE);
+		*sha256 = (sha_bin == NULL) ? g_strdup("(null)") :
+			purple_base16_encode_chunked(sha_bin->data, sha_bin->len);
+		g_byte_array_free(sha_bin, TRUE);
+	}
+}
 void
 purple_certificate_verify (PurpleCertificateVerifier *verifier,
 			   const gchar *subject_name, GList *cert_chain,
 			   PurpleCertificateVerifiedCallback cb,
 			   gpointer cb_data)
 	fpr = (scheme->get_fingerprint_sha1)(crt);
 	return fpr;
 }
+GByteArray *
+purple_certificate_get_fingerprint_sha256(PurpleCertificate *crt, gboolean sha1_fallback)
+{
+	PurpleCertificateScheme *scheme;
+	GByteArray *fpr = NULL;
+	g_return_val_if_fail(crt, NULL);
+	g_return_val_if_fail(crt->scheme, NULL);
+	scheme = crt->scheme;
+	if (!PURPLE_CERTIFICATE_SCHEME_HAS_FUNC(scheme, get_fingerprint_sha256)) {
+		/* outdated ssl module? fallback to sha1 and print a warning */
+		if (sha1_fallback) {
+			fpr = purple_certificate_get_fingerprint_sha1(crt);
+		}
+		g_return_val_if_reached(fpr);
+	}
+	fpr = (scheme->get_fingerprint_sha256)(crt);
+	return fpr;
+}
 gchar *
 purple_certificate_get_unique_id(PurpleCertificate *crt)
 {
 	g_return_val_if_fail(crt, NULL);
 	g_return_val_if_fail(crt->scheme, NULL);
 }
 static void
 x509_singleuse_start_verify (PurpleCertificateVerificationRequest *vrq)
 {
-	gchar *sha_asc;
+	gchar *sha1_asc, *sha256_asc;
-	GByteArray *sha_bin;
 	gchar *cn;
 	const gchar *cn_match;
-	gchar *primary, *secondary;
+	gchar *primary, *secondary, *secondary_extra;
 	PurpleCertificate *crt = (PurpleCertificate *) vrq->cert_chain->data;
-	/* Pull out the SHA1 checksum */
+	get_ascii_fingerprints(crt, &sha1_asc, &sha256_asc);
-	sha_bin = purple_certificate_get_fingerprint_sha1(crt);
-	/* Now decode it for display */
-	sha_asc = purple_base16_encode_chunked(sha_bin->data,
-					       sha_bin->len);
 	/* Get the cert Common Name */
 	cn = purple_certificate_get_subject_name(crt);
 	/* Determine whether the name matches */
 		cn_match = _("(DOES NOT MATCH)");
 	}
 	/* Make messages */
 	primary = g_strdup_printf(_("%s has presented the following certificate for just-this-once use:"), vrq->subject_name);
-	secondary = g_strdup_printf(_("Common name: %s %s\nFingerprint (SHA1): %s"), cn, cn_match, sha_asc);
+	secondary = g_strdup_printf(_("Common name: %s %s\nFingerprint (SHA1): %s"), cn, cn_match, sha1_asc);
+	/* TODO: make this part of the translatable string above */
+	secondary_extra = g_strdup_printf("%s\nSHA256: %s", secondary, sha256_asc);
 	/* Make a semi-pretty display */
 	purple_request_accept_cancel(
 		vrq->cb_data, /* TODO: Find what the handle ought to be */
 		_("Single-use Certificate Verification"),
 		primary,
-		secondary,
+		secondary_extra,
 		0,            /* Accept by default */
 		NULL,         /* No account */
 		NULL,         /* No other user */
 		NULL,         /* No associated conversation */
 		vrq,
 	/* Cleanup */
 	g_free(cn);
 	g_free(primary);
 	g_free(secondary);
-	g_free(sha_asc);
+	g_free(secondary_extra);
-	g_byte_array_free(sha_bin, TRUE);
+	g_free(sha1_asc);
+	g_free(sha256_asc);
 }
 static void
 x509_singleuse_destroy_request (PurpleCertificateVerificationRequest *vrq)
 {
 		/* vrq now becomes the problem of unknown_peer */
 		x509_tls_cached_unknown_peer(vrq, flags);
 		return;
 	}
-	/* Now get SHA1 sums for both and compare them */
+	/* Now get SHA256 sums for both and compare them */
 	/* TODO: This is not an elegant way to compare certs */
-	peer_fpr = purple_certificate_get_fingerprint_sha1(peer_crt);
+	peer_fpr = purple_certificate_get_fingerprint_sha256(peer_crt, TRUE);
-	cached_fpr = purple_certificate_get_fingerprint_sha1(cached_crt);
+	cached_fpr = purple_certificate_get_fingerprint_sha256(cached_crt, TRUE);
 	if (!memcmp(peer_fpr->data, cached_fpr->data, peer_fpr->len)) {
 		purple_debug_info("certificate/x509/tls_cached",
 				  "Peer cert matched cached\n");
 		x509_tls_cached_complete(vrq, flags);
 	} else {
 			gchar *uid = purple_certificate_get_unique_id(failing_crt);
 			PurpleCertificate *ca_crt = purple_certificate_pool_retrieve(ca, uid);
 			if (ca_crt != NULL) {
 				GByteArray *failing_fpr;
 				GByteArray *ca_fpr;
-				failing_fpr = purple_certificate_get_fingerprint_sha1(failing_crt);
+				failing_fpr = purple_certificate_get_fingerprint_sha256(failing_crt, TRUE);
-				ca_fpr = purple_certificate_get_fingerprint_sha1(ca_crt);
+				ca_fpr = purple_certificate_get_fingerprint_sha256(ca_crt, TRUE);
 				if (byte_arrays_equal(failing_fpr, ca_fpr)) {
 					purple_debug_info("certificate/x509/tls_cached",
 							"Full chain verification failed (probably a bad "
 							"signature algorithm), but found the last "
 							"certificate %s in the CA pool.\n", uid);
 	 * circumstances (one of Verisign's root CAs is self-signed with MD2).
 	 *
 	 * If the fingerprints don't match, we'll fall back to checking the
 	 * signature.
 	 */
-	last_fpr = purple_certificate_get_fingerprint_sha1(end_crt);
+	last_fpr = purple_certificate_get_fingerprint_sha256(end_crt, TRUE);
 	for (cur = ca_crts; cur; cur = cur->next) {
 		ca_crt = cur->data;
-		ca_fpr = purple_certificate_get_fingerprint_sha1(ca_crt);
+		ca_fpr = purple_certificate_get_fingerprint_sha256(ca_crt, TRUE);
 		if ( byte_arrays_equal(last_fpr, ca_fpr) ||
 				purple_certificate_signed_by(end_crt, ca_crt) )
 		{
 			/* TODO: If signed_by ever returns a reason, maybe mention
 }
 void
 purple_certificate_display_x509(PurpleCertificate *crt)
 {
-	gchar *sha_asc;
+	gchar *sha1_asc, *sha256_asc;
-	GByteArray *sha_bin;
 	gchar *cn, *issuer_id;
 	time_t activation, expiration;
 	gchar *activ_str, *expir_str;
-	gchar *secondary;
+	gchar *secondary, *secondary_extra;
 	gboolean self_signed;
-	/* Pull out the SHA1 checksum */
+	get_ascii_fingerprints(crt, &sha1_asc, &sha256_asc);
-	sha_bin = purple_certificate_get_fingerprint_sha1(crt);
-	/* Now decode it for display */
-	sha_asc = purple_base16_encode_chunked(sha_bin->data,
-					       sha_bin->len);
 	/* Get the cert Common Name */
 	/* TODO: Will break on CA certs */
 	cn = purple_certificate_get_subject_name(crt);
 				  "Fingerprint (SHA1): %s\n\n"
 				  "Activation date: %s\n"
 				  "Expiration date: %s\n"),
 				cn ? cn : "(null)",
 				self_signed ? _("(self-signed)") : (issuer_id ? issuer_id : "(null)"),
-				sha_asc ? sha_asc : "(null)",
+				sha1_asc ? sha1_asc : "(null)",
 				activ_str ? activ_str : "(null)",
 				expir_str ? expir_str : "(null)");
+	/* TODO: make this part of the translatable string above */
+	secondary_extra = g_strdup_printf("%sSHA256: %s", secondary, sha256_asc);
 	/* Make a semi-pretty display */
 	if (self_signed) {
 		purple_notify_info(NULL, /* TODO: Find what the handle ought to be */
 			_("Certificate Information"),
 			"",
-			secondary);
+			secondary_extra);
 	} else {
 		purple_request_action(NULL, /* TODO: Find what the handle ought to be */
 			_("Certificate Information"), _("Certificate Information"),
-			secondary, 2, NULL, NULL, NULL,
+			secondary_extra, 2, NULL, NULL, NULL,
 			issuer_id, 2,
 			_("View Issuer Certificate"), PURPLE_CALLBACK(display_x509_issuer),
 			_("Close"), PURPLE_CALLBACK(g_free));
 		/* purple_request_action has taken ownership of issuer_id */
 	/* Cleanup */
 	g_free(cn);
 	g_free(issuer_id);
 	g_free(secondary);
-	g_free(sha_asc);
+	g_free(secondary_extra);
+	g_free(sha1_asc);
+	g_free(sha256_asc);
 	g_free(activ_str);
 	g_free(expir_str);
-	g_byte_array_free(sha_bin, TRUE);
 }
 void purple_certificate_add_ca_search_path(const char *path)
 {
 	if (g_list_find_custom(x509_ca_paths, path, (GCompareFunc)strcmp))

Mercurial > pidgin3 / file comparison

comparison: libpurple/certificate.c

libpurple/certificate.c