Convert certificate prompts to show sha-256 instead of md5.

Due to the length of the sha-256 fingerprint, split the output into
two lines.

Note that this change now requires OpenSSL 0.9.8+ [2005-07-05], and
GnuTLS 1.7.4+ [2007-02-05].

diff --git a/mutt_ssl.c b/mutt_ssl.c
index 32080cf0df4a831413c3a523c63d600654c8e96b..309394bc4ef697788fc2f6fe46e0e241cbacec97 100644 (file)
--- a/mutt_ssl.c
+++ b/mutt_ssl.c
@@ -1174,7 +1174,7 @@ static int interactive_check_cert (X509 *cert, int idx, int len, SSL *ssl, int a
 
   mutt_push_current_menu (menu);
 
-  menu->max = mutt_array_size (part) * 2 + 10;
+  menu->max = mutt_array_size (part) * 2 + 11;
   menu->dialog = (char **) safe_calloc (1, menu->max * sizeof (char *));
   for (i = 0; i < menu->max; i++)
     menu->dialog[i] = (char *) safe_calloc (1, SHORT_STRING * sizeof (char));
@@ -1207,8 +1207,13 @@ static int interactive_check_cert (X509 *cert, int idx, int len, SSL *ssl, int a
   x509_fingerprint (buf, sizeof (buf), cert, EVP_sha1);
   snprintf (menu->dialog[row++], SHORT_STRING, _("SHA1 Fingerprint: %s"), buf);
   buf[0] = '\0';
-  x509_fingerprint (buf, sizeof (buf), cert, EVP_md5);
-  snprintf (menu->dialog[row++], SHORT_STRING, _("MD5 Fingerprint: %s"), buf);
+  buf[40] = '\0';  /* Ensure the second printed line is null terminated */
+  x509_fingerprint (buf, sizeof (buf), cert, EVP_sha256);
+  buf[39] = '\0';  /* Divide into two lines of output */
+  snprintf (menu->dialog[row++], SHORT_STRING, "%s%s",
+            _("SHA256 Fingerprint: "), buf);
+  snprintf (menu->dialog[row++], SHORT_STRING, "%*s%s",
+            (int)mutt_strlen (_("SHA256 Fingerprint: ")), "", buf + 40);
 
   snprintf (title, sizeof (title),
            _("SSL Certificate check (certificate %d of %d in chain)"),

diff --git a/mutt_ssl_gnutls.c b/mutt_ssl_gnutls.c
index 56ff84065361eb407ac972b26d0f6bd6f4debaf7..77346a48878d9898b5149bf3b4b0cd71640ed17d 100644 (file)
--- a/mutt_ssl_gnutls.c
+++ b/mutt_ssl_gnutls.c
@@ -594,11 +594,11 @@ static int tls_compare_certificates (const gnutls_datum_t *peercert)
 static void tls_fingerprint (gnutls_digest_algorithm_t algo,
                              char* s, int l, const gnutls_datum_t* data)
 {
-  unsigned char md[36];
+  unsigned char md[64];
   size_t n;
   int j;
 
-  n = 36;
+  n = 64;
 
   if (gnutls_fingerprint (algo, data, (char *)md, &n) < 0)
   {
@@ -859,7 +859,7 @@ static int tls_check_one_certificate (const gnutls_datum_t *certdata,
   }
 
   menu = mutt_new_menu (MENU_GENERIC);
-  menu->max = 25;
+  menu->max = 26;
   menu->dialog = (char **) safe_calloc (1, menu->max * sizeof (char *));
   for (i = 0; i < menu->max; i++)
     menu->dialog[i] = (char *) safe_calloc (1, SHORT_STRING * sizeof (char));
@@ -958,8 +958,13 @@ static int tls_check_one_certificate (const gnutls_datum_t *certdata,
   tls_fingerprint (GNUTLS_DIG_SHA, fpbuf, sizeof (fpbuf), certdata);
   snprintf (menu->dialog[row++], SHORT_STRING, _("SHA1 Fingerprint: %s"), fpbuf);
   fpbuf[0] = '\0';
-  tls_fingerprint (GNUTLS_DIG_MD5, fpbuf, sizeof (fpbuf), certdata);
-  snprintf (menu->dialog[row++], SHORT_STRING, _("MD5 Fingerprint: %s"), fpbuf);
+  fpbuf[40] = '\0';  /* Ensure the second printed line is null terminated */
+  tls_fingerprint (GNUTLS_DIG_SHA256, fpbuf, sizeof (fpbuf), certdata);
+  fpbuf[39] = '\0';  /* Divide into two lines of output */
+  snprintf (menu->dialog[row++], SHORT_STRING, "%s%s",
+            _("SHA256 Fingerprint: "), fpbuf);
+  snprintf (menu->dialog[row++], SHORT_STRING, "%*s%s",
+            (int)mutt_strlen (_("SHA256 Fingerprint: ")), "", fpbuf + 40);
 
   if (certerr & CERTERR_NOTYETVALID)
   {
@@ -1043,6 +1048,8 @@ static int tls_check_one_certificate (const gnutls_datum_t *certdata,
          /* save hostname if necessary */
          if (certerr & CERTERR_HOSTNAME)
          {
+            fpbuf[0] = '\0';
+            tls_fingerprint (GNUTLS_DIG_MD5, fpbuf, sizeof (fpbuf), certdata);
            fprintf(fp, "#H %s %s\n", hostname, fpbuf);
            done = 1;
          }