summaryrefslogtreecommitdiff
path: root/src/core
diff options
context:
space:
mode:
authormathieui <mathieui@mathieui.net>2014-10-08 12:55:22 +0200
committermathieui <mathieui@mathieui.net>2014-10-08 12:55:22 +0200
commit8d2408c16943ca3c7beb70905690e3b1e24079b2 (patch)
tree578fcf3e1924b89bb73ea837b0d4e58adc7a80b3 /src/core
parentdc4f9cc35a180aff708c9693f6cef8ab992d0fa5 (diff)
downloadpoezio-8d2408c16943ca3c7beb70905690e3b1e24079b2.tar.gz
poezio-8d2408c16943ca3c7beb70905690e3b1e24079b2.tar.bz2
poezio-8d2408c16943ca3c7beb70905690e3b1e24079b2.tar.xz
poezio-8d2408c16943ca3c7beb70905690e3b1e24079b2.zip
Use SHA-2 (SHA-512) to store the certificate fingerprint instead of SHA-1
Because SHA-1 is not really relevant anymore. Too bad it's significantly longer and tiring to check, even if that is to be expected.
Diffstat (limited to 'src/core')
-rw-r--r--src/core/handlers.py35
1 files changed, 23 insertions, 12 deletions
diff --git a/src/core/handlers.py b/src/core/handlers.py
index 462ba4d7..96a0f7e8 100644
--- a/src/core/handlers.py
+++ b/src/core/handlers.py
@@ -8,7 +8,7 @@ log = logging.getLogger(__name__)
import curses
import ssl
import time
-from hashlib import sha1
+from hashlib import sha1, sha512
from gettext import gettext as _
from sleekxmpp import InvalidJID
@@ -1069,16 +1069,27 @@ def validate_ssl(self, pem):
config.set_and_save('certificate', cert)
der = ssl.PEM_cert_to_DER_cert(pem)
- digest = sha1(der).hexdigest().upper()
- found_cert = ':'.join(i + j for i, j in zip(digest[::2], digest[1::2]))
+ sha1_digest = sha1(der).hexdigest().upper()
+ sha1_found_cert = ':'.join(i + j for i, j in zip(sha1_digest[::2], sha1_digest[1::2]))
+ sha2_digest = sha512(der).hexdigest().upper()
+ sha2_found_cert = ':'.join(i + j for i, j in zip(sha2_digest[::2], sha2_digest[1::2]))
if cert:
- if found_cert == cert:
- log.debug('Cert %s OK', found_cert)
+ if sha1_found_cert == cert:
+ log.debug('Cert %s OK', sha1_found_cert)
+ log.debug('Current hash is SHA-1, moving to SHA-2 (%s)',
+ sha2_found_cert)
+ config.set_and_save('certificate', sha2_found_cert)
+ return
+ elif sha2_found_cert == cert:
+ log.debug('Cert %s OK', sha2_found_cert)
return
else:
saved_input = self.current_tab().input
- log.debug('\nWARNING: CERTIFICATE CHANGED old: %s, new: %s\n', cert, found_cert)
- input = windows.YesNoInput(text="WARNING! Server certificate has changed, accept? (y/n) (%s)" % found_cert)
+ log.debug('\nWARNING: CERTIFICATE CHANGED old: %s, new: %s\n', cert, sha2_found_cert)
+ self.information('New certificate found (sha-2 hash:'
+ ' %s)\nPlease validate or abort' % sha2_found_cert,
+ 'Warning')
+ input = windows.YesNoInput(text="WARNING! Server certificate has changed, accept? (y/n)")
self.current_tab().input = input
input.resize(1, self.current_tab().width, self.current_tab().height-1, 0)
input.refresh()
@@ -1089,16 +1100,16 @@ def validate_ssl(self, pem):
self.current_tab().input = saved_input
self.paused = False
if input.value:
- self.information('Setting new certificate: old: %s, new: %s' % (cert, found_cert), 'Info')
- log.debug('Setting certificate to %s', found_cert)
- if not config.silent_set('certificate', found_cert):
+ self.information('Setting new certificate: old: %s, new: %s' % (cert, sha2_found_cert), 'Info')
+ log.debug('Setting certificate to %s', sha2_found_cert)
+ if not config.silent_set('certificate', sha2_found_cert):
self.information(_('Unable to write in the config file'), 'Error')
else:
self.information('You refused to validate the certificate. You are now disconnected', 'Info')
self.xmpp.disconnect()
else:
- log.debug('First time. Setting certificate to %s', found_cert)
- if not config.silent_set('certificate', found_cert):
+ log.debug('First time. Setting certificate to %s', sha2_found_cert)
+ if not config.silent_set('certificate', sha2_found_cert):
self.information(_('Unable to write in the config file'), 'Error')
def _composing_tab_state(tab, state):