Support a trusted SHA1 fingerprint to be configured for each IRC server

1 files changed, 14 insertions, 1 deletions

diff --git a/louloulibs/network/credentials_manager.cpp b/louloulibs/network/credentials_manager.cpp
index 57100ee..f92aef8 100644
--- a/louloulibs/network/credentials_manager.cpp
+++ b/louloulibs/network/credentials_manager.cpp
@@ -26,11 +26,17 @@ bool Basic_Credentials_Manager::certs_loaded = false;
 
 Basic_Credentials_Manager::Basic_Credentials_Manager(const TCPSocketHandler* const socket_handler):
     Botan::Credentials_Manager(),
-    socket_handler(socket_handler)
+    socket_handler(socket_handler),
+    trusted_fingerprint{}
 {
   this->load_certs();
 }
 
+void Basic_Credentials_Manager::set_trusted_fingerprint(const std::string& fingerprint)
+{
+  this->trusted_fingerprint = fingerprint;
+}
+
 void Basic_Credentials_Manager::verify_certificate_chain(const std::string& type,
                                                          const std::string& purported_hostname,
                                                          const std::vector<Botan::X509_Certificate>& certs)
@@ -44,6 +50,13 @@ void Basic_Credentials_Manager::verify_certificate_chain(const std::string& type
   catch (const std::exception& tls_exception)
     {
       log_warning("TLS certificate check failed: " << tls_exception.what());
+      if (!this->trusted_fingerprint.empty() && !certs.empty() &&
+          this->trusted_fingerprint == certs[0].fingerprint() &&
+          certs[0].matches_dns_name(purported_hostname))
+        // We trust the certificate, based on the trusted fingerprint and
+        // the fact that the hostname matches
+        return;
+
       if (this->socket_handler->abort_on_invalid_cert())
         throw;
     }