HGKeeper

certificate: Use public key fingerprint to compare certificates
release-2.x.y
2017-03-07, dx

887efbd652d8

certificate: Use public key fingerprint to compare certificates

This fixes an issue with google talk's certificates and gnutls, where the root
certificate in the provided chain is a slightly different version of the one
that is usually present in the certificate stores, but the SubjectPublicKeyInfo
section is the same.

This adds a PurpleCertificateScheme function, compare_pubkeys, and its wrapper
purple_certificate_compare_pubkeys().

This is only implemented for gnutls, since the NSS plugin only uses the NSS
certificate validation code. Even if that path was reachable from a plugin that
doesn't implement this method, it would return FALSE and behave as if this bug
was never fixed.

The gnutls implementation uses the gnutls_x509_crt_get_key_id() function,
which returns a hash of the SubjectPublicKeyInfo section of the certificate.

In gnutls versions older than 3.4.1, this may be a SHA1 hash, but after that
version SHA256 support was added (without much fanfare - the documentation
barely mentions this at all), and we just use the constant for the best known
algo, which for current versions is just SHA256. Older versions ignore that
flag parameter.

The whole comparison is modeled after the private _gnutls_check_if_same_key(),
which checks if both certificates have the same DN ("unique id") and does a
memcmp() of the raw SPKI section. We don't have direct access to the raw SPKI
section but comparing their fingerprints is good enough.

* @file version.c Version Functions

* @ingroup core

/* Purple is the legal property of its developers, whose names are too numerous

* to list here. Please refer to the COPYRIGHT file distributed with this

* source distribution.

* This program is free software; you can redistribute it and/or modify

* it under the terms of the GNU General Public License as published by

* the Free Software Foundation; either version 2 of the License, or

* (at your option) any later version.

* This program is distributed in the hope that it will be useful,

* but WITHOUT ANY WARRANTY; without even the implied warranty of

* MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the

* GNU General Public License for more details.

* You should have received a copy of the GNU General Public License

* along with this program; if not, write to the Free Software

* Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02111-1301 USA

#include "internal.h"

#include "version.h"

const guint purple_major_version = PURPLE_MAJOR_VERSION;

const guint purple_minor_version = PURPLE_MINOR_VERSION;

const guint purple_micro_version = PURPLE_MICRO_VERSION;

const char *purple_version_check(guint required_major, guint required_minor, guint required_micro)

{

if (required_major > PURPLE_MAJOR_VERSION)

return "libpurple version too old (major mismatch)";

if (required_major < PURPLE_MAJOR_VERSION)

return "libpurple version too new (major mismatch)";

if (required_minor > PURPLE_MINOR_VERSION)

return "libpurple version too old (minor mismatch)";

if ((required_minor == PURPLE_MINOR_VERSION) && (required_micro > PURPLE_MICRO_VERSION))

return "libpurple version too old (micro mismatch)";

return NULL;

}

pidgin/pidgin