From: Kevin McCarthy Date: Fri, 31 Aug 2018 22:50:00 +0000 (-0700) Subject: Convert certificate prompts to show sha-256 instead of md5. X-Git-Tag: mutt-1-11-rel~73 X-Git-Url: https://granicus.if.org/sourcecode?a=commitdiff_plain;h=1b4860a51e8c6d417913834f600f3929727982df;p=mutt Convert certificate prompts to show sha-256 instead of md5. Due to the length of the sha-256 fingerprint, split the output into two lines. Note that this change now requires OpenSSL 0.9.8+ [2005-07-05], and GnuTLS 1.7.4+ [2007-02-05]. --- diff --git a/mutt_ssl.c b/mutt_ssl.c index 32080cf0..309394bc 100644 --- a/mutt_ssl.c +++ b/mutt_ssl.c @@ -1174,7 +1174,7 @@ static int interactive_check_cert (X509 *cert, int idx, int len, SSL *ssl, int a mutt_push_current_menu (menu); - menu->max = mutt_array_size (part) * 2 + 10; + menu->max = mutt_array_size (part) * 2 + 11; menu->dialog = (char **) safe_calloc (1, menu->max * sizeof (char *)); for (i = 0; i < menu->max; i++) menu->dialog[i] = (char *) safe_calloc (1, SHORT_STRING * sizeof (char)); @@ -1207,8 +1207,13 @@ static int interactive_check_cert (X509 *cert, int idx, int len, SSL *ssl, int a x509_fingerprint (buf, sizeof (buf), cert, EVP_sha1); snprintf (menu->dialog[row++], SHORT_STRING, _("SHA1 Fingerprint: %s"), buf); buf[0] = '\0'; - x509_fingerprint (buf, sizeof (buf), cert, EVP_md5); - snprintf (menu->dialog[row++], SHORT_STRING, _("MD5 Fingerprint: %s"), buf); + buf[40] = '\0'; /* Ensure the second printed line is null terminated */ + x509_fingerprint (buf, sizeof (buf), cert, EVP_sha256); + buf[39] = '\0'; /* Divide into two lines of output */ + snprintf (menu->dialog[row++], SHORT_STRING, "%s%s", + _("SHA256 Fingerprint: "), buf); + snprintf (menu->dialog[row++], SHORT_STRING, "%*s%s", + (int)mutt_strlen (_("SHA256 Fingerprint: ")), "", buf + 40); snprintf (title, sizeof (title), _("SSL Certificate check (certificate %d of %d in chain)"), diff --git a/mutt_ssl_gnutls.c b/mutt_ssl_gnutls.c index 56ff8406..77346a48 100644 --- a/mutt_ssl_gnutls.c +++ b/mutt_ssl_gnutls.c @@ -594,11 +594,11 @@ static int tls_compare_certificates (const gnutls_datum_t *peercert) static void tls_fingerprint (gnutls_digest_algorithm_t algo, char* s, int l, const gnutls_datum_t* data) { - unsigned char md[36]; + unsigned char md[64]; size_t n; int j; - n = 36; + n = 64; if (gnutls_fingerprint (algo, data, (char *)md, &n) < 0) { @@ -859,7 +859,7 @@ static int tls_check_one_certificate (const gnutls_datum_t *certdata, } menu = mutt_new_menu (MENU_GENERIC); - menu->max = 25; + menu->max = 26; menu->dialog = (char **) safe_calloc (1, menu->max * sizeof (char *)); for (i = 0; i < menu->max; i++) menu->dialog[i] = (char *) safe_calloc (1, SHORT_STRING * sizeof (char)); @@ -958,8 +958,13 @@ static int tls_check_one_certificate (const gnutls_datum_t *certdata, tls_fingerprint (GNUTLS_DIG_SHA, fpbuf, sizeof (fpbuf), certdata); snprintf (menu->dialog[row++], SHORT_STRING, _("SHA1 Fingerprint: %s"), fpbuf); fpbuf[0] = '\0'; - tls_fingerprint (GNUTLS_DIG_MD5, fpbuf, sizeof (fpbuf), certdata); - snprintf (menu->dialog[row++], SHORT_STRING, _("MD5 Fingerprint: %s"), fpbuf); + fpbuf[40] = '\0'; /* Ensure the second printed line is null terminated */ + tls_fingerprint (GNUTLS_DIG_SHA256, fpbuf, sizeof (fpbuf), certdata); + fpbuf[39] = '\0'; /* Divide into two lines of output */ + snprintf (menu->dialog[row++], SHORT_STRING, "%s%s", + _("SHA256 Fingerprint: "), fpbuf); + snprintf (menu->dialog[row++], SHORT_STRING, "%*s%s", + (int)mutt_strlen (_("SHA256 Fingerprint: ")), "", fpbuf + 40); if (certerr & CERTERR_NOTYETVALID) { @@ -1043,6 +1048,8 @@ static int tls_check_one_certificate (const gnutls_datum_t *certdata, /* save hostname if necessary */ if (certerr & CERTERR_HOSTNAME) { + fpbuf[0] = '\0'; + tls_fingerprint (GNUTLS_DIG_MD5, fpbuf, sizeof (fpbuf), certdata); fprintf(fp, "#H %s %s\n", hostname, fpbuf); done = 1; }