--- a/libpurple/certificate.c Thu Feb 23 06:35:24 2017 +0000
+++ b/libpurple/certificate.c Mon Mar 06 03:32:06 2017 -0300
@@ -84,6 +84,29 @@
+get_ascii_fingerprints (PurpleCertificate *crt, gchar **sha1, gchar **sha256) + sha_bin = purple_certificate_get_fingerprint_sha1(crt); + *sha1 = purple_base16_encode_chunked(sha_bin->data, sha_bin->len); + g_byte_array_free(sha_bin, TRUE); + sha_bin = purple_certificate_get_fingerprint_sha256(crt, FALSE); + *sha256 = (sha_bin == NULL) ? g_strdup("(null)") : + purple_base16_encode_chunked(sha_bin->data, sha_bin->len); + g_byte_array_free(sha_bin, TRUE); purple_certificate_verify (PurpleCertificateVerifier *verifier,
const gchar *subject_name, GList *cert_chain,
@@ -388,6 +411,30 @@
+purple_certificate_get_fingerprint_sha256(PurpleCertificate *crt, gboolean sha1_fallback) + PurpleCertificateScheme *scheme; + GByteArray *fpr = NULL; + g_return_val_if_fail(crt, NULL); + g_return_val_if_fail(crt->scheme, NULL); + if (!PURPLE_CERTIFICATE_SCHEME_HAS_FUNC(scheme, get_fingerprint_sha256)) { + /* outdated ssl module? fallback to sha1 and print a warning */ + fpr = purple_certificate_get_fingerprint_sha1(crt); + g_return_val_if_reached(fpr); + fpr = (scheme->get_fingerprint_sha256)(crt); purple_certificate_get_unique_id(PurpleCertificate *crt)
@@ -630,18 +677,13 @@
x509_singleuse_start_verify (PurpleCertificateVerificationRequest *vrq)
+ gchar *sha1_asc, *sha256_asc; - gchar *primary, *secondary;
+ gchar *primary, *secondary, *secondary_extra; PurpleCertificate *crt = (PurpleCertificate *) vrq->cert_chain->data;
- /* Pull out the SHA1 checksum */
- sha_bin = purple_certificate_get_fingerprint_sha1(crt);
- /* Now decode it for display */
- sha_asc = purple_base16_encode_chunked(sha_bin->data,
+ get_ascii_fingerprints(crt, &sha1_asc, &sha256_asc); /* Get the cert Common Name */
cn = purple_certificate_get_subject_name(crt);
@@ -655,14 +697,17 @@
primary = g_strdup_printf(_("%s has presented the following certificate for just-this-once use:"), vrq->subject_name);
- secondary = g_strdup_printf(_("Common name: %s %s\nFingerprint (SHA1): %s"), cn, cn_match, sha_asc);
+ secondary = g_strdup_printf(_("Common name: %s %s\nFingerprint (SHA1): %s"), cn, cn_match, sha1_asc); + /* TODO: make this part of the translatable string above */ + secondary_extra = g_strdup_printf("%s\nSHA256: %s", secondary, sha256_asc); /* Make a semi-pretty display */
purple_request_accept_cancel(
vrq->cb_data, /* TODO: Find what the handle ought to be */
_("Single-use Certificate Verification"),
0, /* Accept by default */
NULL, /* No other user */
@@ -675,8 +720,9 @@
- g_byte_array_free(sha_bin, TRUE);
+ g_free(secondary_extra); @@ -1506,10 +1552,10 @@
- /* Now get SHA1 sums for both and compare them */
+ /* Now get SHA256 sums for both and compare them */ /* TODO: This is not an elegant way to compare certs */
- peer_fpr = purple_certificate_get_fingerprint_sha1(peer_crt);
- cached_fpr = purple_certificate_get_fingerprint_sha1(cached_crt);
+ peer_fpr = purple_certificate_get_fingerprint_sha256(peer_crt, TRUE); + cached_fpr = purple_certificate_get_fingerprint_sha256(cached_crt, TRUE); if (!memcmp(peer_fpr->data, cached_fpr->data, peer_fpr->len)) {
purple_debug_info("certificate/x509/tls_cached",
"Peer cert matched cached\n");
@@ -1616,8 +1662,8 @@
- failing_fpr = purple_certificate_get_fingerprint_sha1(failing_crt);
- ca_fpr = purple_certificate_get_fingerprint_sha1(ca_crt);
+ failing_fpr = purple_certificate_get_fingerprint_sha256(failing_crt, TRUE); + ca_fpr = purple_certificate_get_fingerprint_sha256(ca_crt, TRUE); if (byte_arrays_equal(failing_fpr, ca_fpr)) {
purple_debug_info("certificate/x509/tls_cached",
"Full chain verification failed (probably a bad "
@@ -1699,10 +1745,10 @@
* If the fingerprints don't match, we'll fall back to checking the
- last_fpr = purple_certificate_get_fingerprint_sha1(end_crt);
+ last_fpr = purple_certificate_get_fingerprint_sha256(end_crt, TRUE); for (cur = ca_crts; cur; cur = cur->next) {
- ca_fpr = purple_certificate_get_fingerprint_sha1(ca_crt);
+ ca_fpr = purple_certificate_get_fingerprint_sha256(ca_crt, TRUE); if ( byte_arrays_equal(last_fpr, ca_fpr) ||
purple_certificate_signed_by(end_crt, ca_crt) )
@@ -2152,19 +2198,14 @@
purple_certificate_display_x509(PurpleCertificate *crt)
+ gchar *sha1_asc, *sha256_asc; time_t activation, expiration;
gchar *activ_str, *expir_str;
+ gchar *secondary, *secondary_extra; - /* Pull out the SHA1 checksum */
- sha_bin = purple_certificate_get_fingerprint_sha1(crt);
- /* Now decode it for display */
- sha_asc = purple_base16_encode_chunked(sha_bin->data,
+ get_ascii_fingerprints(crt, &sha1_asc, &sha256_asc); /* Get the cert Common Name */
/* TODO: Will break on CA certs */
@@ -2193,20 +2234,23 @@
"Expiration date: %s\n"),
self_signed ? _("(self-signed)") : (issuer_id ? issuer_id : "(null)"),
- sha_asc ? sha_asc : "(null)",
+ sha1_asc ? sha1_asc : "(null)", activ_str ? activ_str : "(null)",
expir_str ? expir_str : "(null)");
+ /* TODO: make this part of the translatable string above */ + secondary_extra = g_strdup_printf("%sSHA256: %s", secondary, sha256_asc); /* Make a semi-pretty display */
purple_notify_info(NULL, /* TODO: Find what the handle ought to be */
_("Certificate Information"),
purple_request_action(NULL, /* TODO: Find what the handle ought to be */
_("Certificate Information"), _("Certificate Information"),
- secondary, 2, NULL, NULL, NULL,
+ secondary_extra, 2, NULL, NULL, NULL, _("View Issuer Certificate"), PURPLE_CALLBACK(display_x509_issuer),
_("Close"), PURPLE_CALLBACK(g_free));
@@ -2219,10 +2263,11 @@
+ g_free(secondary_extra); - g_byte_array_free(sha_bin, TRUE);
void purple_certificate_add_ca_search_path(const char *path)
--- a/libpurple/certificate.h Thu Feb 23 06:35:24 2017 +0000
+++ b/libpurple/certificate.h Mon Mar 06 03:32:06 2017 -0300
@@ -315,9 +315,31 @@
void (* verify_cert)(PurpleCertificateVerificationRequest *vrq, PurpleCertificateInvalidityFlags *flags);
- void (*_purple_reserved3)(void);
+ * The size of the PurpleCertificateScheme. This should always be sizeof(PurpleCertificateScheme). + * This allows adding more functions to this struct without requiring a major version bump. + * PURPLE_CERTIFICATE_SCHEME_HAS_FUNC() should be used for functions after this point. + unsigned long struct_size; + * Retrieves the certificate public key fingerprint using SHA256 + * @param crt Certificate instance + * @return Binary representation of SHA256 hash - must be freed using + GByteArray * (* get_fingerprint_sha256)(PurpleCertificate *crt); +#define PURPLE_CERTIFICATE_SCHEME_HAS_FUNC(obj, member) \ + (((G_STRUCT_OFFSET(PurpleCertificateScheme, member) < G_STRUCT_OFFSET(PurpleCertificateScheme, struct_size)) \ + || (G_STRUCT_OFFSET(PurpleCertificateScheme, member) < obj->struct_size)) && \ /** A set of operations used to provide logic for verifying a Certificate's
@@ -578,12 +600,26 @@
* Retrieves the certificate public key fingerprint using SHA1.
* @param crt Certificate instance
- * @return Binary representation of the hash. You are responsible for free()ing
+ * @return Binary representation of the hash. You are responsible for freeing + * this with g_byte_array_free(). + * @see purple_base16_encode_chunked() + * @see purple_certificate_get_fingerprint_sha256() +purple_certificate_get_fingerprint_sha1(PurpleCertificate *crt); + * Retrieves the certificate public key fingerprint using SHA256. + * @param crt Certificate instance + * @param sha1_fallback If true, return SHA1 if the SSL module doesn't + * implement SHA256. Otherwise, return NULL. + * @return Binary representation of the hash. You are responsible for freeing + * this with g_byte_array_free(). * @see purple_base16_encode_chunked()
-purple_certificate_get_fingerprint_sha1(PurpleCertificate *crt);
+purple_certificate_get_fingerprint_sha256(PurpleCertificate *crt, gboolean sha1_fallback); * Get a unique identifier for the certificate
--- a/libpurple/plugins/ssl/ssl-gnutls.c Thu Feb 23 06:35:24 2017 +0000
+++ b/libpurple/plugins/ssl/ssl-gnutls.c Mon Mar 06 03:32:06 2017 -0300
@@ -1037,9 +1037,9 @@
-x509_sha1sum(PurpleCertificate *crt)
+x509_shasum(PurpleCertificate *crt, gnutls_digest_algorithm_t algo) - size_t hashlen = 20; /* SHA1 hashes are 20 bytes */
+ size_t hashlen = (algo == GNUTLS_DIG_SHA1) ? 20 : 32; size_t tmpsz = hashlen; /* Throw-away variable for GnuTLS to stomp on*/
gnutls_x509_crt_t crt_dat;
GByteArray *hash; /**< Final hash container */
@@ -1051,7 +1051,7 @@
/* Extract the fingerprint */
- 0 == gnutls_x509_crt_get_fingerprint(crt_dat, GNUTLS_DIG_SHA,
+ 0 == gnutls_x509_crt_get_fingerprint(crt_dat, algo, @@ -1065,6 +1065,18 @@
+x509_sha1sum(PurpleCertificate *crt) + return x509_shasum(crt, GNUTLS_DIG_SHA1); +x509_sha256sum(PurpleCertificate *crt) + return x509_shasum(crt, GNUTLS_DIG_SHA256); x509_cert_dn (PurpleCertificate *crt)
@@ -1239,8 +1251,8 @@
+ sizeof(PurpleCertificateScheme), /* struct_size */ + x509_sha256sum, /* SHA256 fingerprint */ static PurpleSslOps ssl_ops =
--- a/libpurple/plugins/ssl/ssl-nss.c Thu Feb 23 06:35:24 2017 +0000
+++ b/libpurple/plugins/ssl/ssl-nss.c Mon Mar 06 03:32:06 2017 -0300
@@ -881,11 +881,11 @@
-x509_sha1sum(PurpleCertificate *crt)
+x509_shasum(PurpleCertificate *crt, SECOidTag algo) CERTCertificate *crt_dat;
- size_t hashlen = 20; /* Size of an sha1sum */
+ size_t hashlen = (algo == SEC_OID_SHA1) ? 20 : 32; SECItem *derCert; /* DER representation of the cert */
@@ -899,22 +899,34 @@
derCert = &(crt_dat->derCert);
- sha1sum = g_byte_array_sized_new(hashlen);
+ hash = g_byte_array_sized_new(hashlen); /* glib leaves the size as 0 by default */
- sha1sum->len = hashlen;
- st = PK11_HashBuf(SEC_OID_SHA1, sha1sum->data,
+ st = PK11_HashBuf(algo, hash->data, derCert->data, derCert->len);
- g_byte_array_free(sha1sum, TRUE);
+ g_byte_array_free(hash, TRUE); purple_debug_error("nss/x509",
"Error: hashing failed!\n");
+x509_sha1sum(PurpleCertificate *crt) + return x509_shasum(crt, SEC_OID_SHA1); +x509_sha256sum(PurpleCertificate *crt) + return x509_shasum(crt, SEC_OID_SHA256); @@ -1211,7 +1223,8 @@
x509_importcerts_from_file, /* Multiple certificate import function */
x509_register_trusted_tls_cert, /* Register a certificate as trusted for TLS */
x509_verify_cert, /* Verify that the specified cert chain is trusted */
+ sizeof(PurpleCertificateScheme), /* struct_size */ + x509_sha256sum, /* SHA256 fingerprint */ static PurpleSslOps ssl_ops =