From e1482bb0f1f2c7f2c64cd222d9384bfa7c09b9b6 Mon Sep 17 00:00:00 2001 From: Kevin McCarthy Date: Fri, 31 Aug 2018 15:50:00 -0700 Subject: [PATCH] Convert certificate prompts to show sha-256 instead of md5. Due to the length of the sha-256 fingerprint, split the output into two lines. Note that this change now requires OpenSSL 0.9.8+ [2005-07-05], and GnuTLS 1.7.4+ [2007-02-05]. --- conn/ssl.c | 10 +++++++--- conn/ssl_gnutls.c | 14 ++++++++++---- 2 files changed, 17 insertions(+), 7 deletions(-) diff --git a/conn/ssl.c b/conn/ssl.c index 9c4983fe1..5ae4a5996 100644 --- a/conn/ssl.c +++ b/conn/ssl.c @@ -960,7 +960,7 @@ static bool interactive_check_cert(X509 *cert, int idx, size_t len, SSL *ssl, bo mutt_menu_push_current(menu); - menu->max = mutt_array_size(part) * 2 + 10; + menu->max = mutt_array_size(part) * 2 + 11; menu->dialog = mutt_mem_calloc(1, menu->max * sizeof(char *)); for (int i = 0; i < menu->max; i++) menu->dialog[i] = mutt_mem_calloc(1, SHORT_STRING * sizeof(char)); @@ -997,8 +997,12 @@ static bool interactive_check_cert(X509 *cert, int idx, size_t len, SSL *ssl, bo x509_fingerprint(buf, sizeof(buf), cert, EVP_sha1); snprintf(menu->dialog[row++], SHORT_STRING, _("SHA1 Fingerprint: %s"), buf); buf[0] = '\0'; - x509_fingerprint(buf, sizeof(buf), cert, EVP_md5); - snprintf(menu->dialog[row++], SHORT_STRING, _("MD5 Fingerprint: %s"), buf); + buf[40] = '\0'; /* Ensure the second printed line is null terminated */ + x509_fingerprint(buf, sizeof(buf), cert, EVP_sha256); + buf[39] = '\0'; /* Divide into two lines of output */ + snprintf(menu->dialog[row++], SHORT_STRING, "%s%s", _("SHA256 Fingerprint: "), buf); + snprintf(menu->dialog[row++], SHORT_STRING, "%*s%s", + (int) mutt_str_strlen(_("SHA256 Fingerprint: ")), "", buf + 40); snprintf(title, sizeof(title), _("SSL Certificate check (certificate %zu of %zu in chain)"), len - idx, len); diff --git a/conn/ssl_gnutls.c b/conn/ssl_gnutls.c index ddcade354..6af87cce1 100644 --- a/conn/ssl_gnutls.c +++ b/conn/ssl_gnutls.c @@ -260,10 +260,10 @@ static gnutls_certificate_status_t tls_verify_peers(gnutls_session_t tlsstate) static void tls_fingerprint(gnutls_digest_algorithm_t algo, char *buf, size_t buflen, const gnutls_datum_t *data) { - unsigned char md[36]; + unsigned char md[64]; size_t n; - n = 36; + n = 64; if (gnutls_fingerprint(algo, data, (char *) md, &n) < 0) { @@ -728,8 +728,12 @@ static int tls_check_one_certificate(const gnutls_datum_t *certdata, tls_fingerprint(GNUTLS_DIG_SHA, fpbuf, sizeof(fpbuf), certdata); snprintf(menu->dialog[row++], SHORT_STRING, _("SHA1 Fingerprint: %s"), fpbuf); fpbuf[0] = '\0'; - tls_fingerprint(GNUTLS_DIG_MD5, fpbuf, sizeof(fpbuf), certdata); - snprintf(menu->dialog[row++], SHORT_STRING, _("MD5 Fingerprint: %s"), fpbuf); + fpbuf[40] = '\0'; /* Ensure the second printed line is null terminated */ + tls_fingerprint(GNUTLS_DIG_SHA256, fpbuf, sizeof(fpbuf), certdata); + fpbuf[39] = '\0'; /* Divide into two lines of output */ + snprintf(menu->dialog[row++], SHORT_STRING, "%s%s", _("SHA256 Fingerprint: "), fpbuf); + snprintf(menu->dialog[row++], SHORT_STRING, "%*s%s", + (int) mutt_str_strlen(_("SHA256 Fingerprint: ")), "", fpbuf + 40); if (certerr & CERTERR_NOTYETVALID) { @@ -817,6 +821,8 @@ static int tls_check_one_certificate(const gnutls_datum_t *certdata, /* save hostname if necessary */ if (certerr & CERTERR_HOSTNAME) { + fpbuf[0] = '\0'; + tls_fingerprint(GNUTLS_DIG_MD5, fpbuf, sizeof(fpbuf), certdata); fprintf(fp, "#H %s %s\n", hostname, fpbuf); done = 1; } -- 2.40.0