diff options
-rw-r--r-- | poezio/core/handlers.py | 106 |
1 files changed, 59 insertions, 47 deletions
diff --git a/poezio/core/handlers.py b/poezio/core/handlers.py index e1e3b4b1..1ffb06a1 100644 --- a/poezio/core/handlers.py +++ b/poezio/core/handlers.py @@ -46,6 +46,27 @@ try: except ImportError: PYGMENTS = False +CERT_WARNING_TEXT = """ +WARNING: CERTIFICATE FOR %s CHANGED + +This can be part of a normal renewal process, but can also mean that \ +an attacker is performing a man-in-the-middle attack on your connection. +When in doubt, check with your administrator using another channel. + +SHA-512 of the old certificate: %s + +SHA-512 of the new certificate: %s +""" + +HTTP_VERIF_TEXT = """ +Someone (maybe you) has requested an identity verification +using method "%s" for the url "%s". + +The transaction id is: %s +And the XMPP address of the verification service is %s. + +""" + class HandlerCore: def __init__(self, core): @@ -1187,6 +1208,41 @@ class HandlerCore: self.core.information('The certificate sent by the server is invalid.', 'Error') self.core.disconnect() + def _ssl_pop_tab(self, old_cert, new_cert): + def cb(result): + if result: + self.core.information('New certificate accepted.', 'Info') + log.debug('Setting certificate to %s', new_cert) + if not config.silent_set('certificate', new_cert): + self.core.information( + 'Unable to write in the config file', + 'Error') + else: + self.core.information('You refused to validate the certificate.' + ' You are now disconnected.', 'Info') + self.core.disconnect() + new_loop.stop() + asyncio.set_event_loop(old_loop) + + confirm_tab = tabs.ConfirmTab(self.core, + 'Certificate check required', + CERT_WARNING_TEXT % (self.core.xmpp.boundjid.domain, old_cert, new_cert), + 'You need to accept or reject the certificate', + cb, + critical=True) + + + self.core.add_tab(confirm_tab, True) + self.core.doupdate() + # some magic to avoid running the event loop in which slixmpp + # does stuff. FIXME: not perfect. + old_loop = asyncio.get_event_loop() + new_loop = asyncio.new_event_loop() + asyncio.set_event_loop(new_loop) + new_loop.add_reader(sys.stdin, self.core.on_input_readable) + curses.beep() + new_loop.run_forever() + def validate_ssl(self, pem): """ Check the server certificate using the slixmpp ssl_cert event @@ -1204,9 +1260,9 @@ class HandlerCore: sha1_found_cert = ':'.join(i + j for i, j in zip(sha1_digest[::2], sha1_digest[1::2])) sha2_digest = sha512(der).hexdigest().upper() sha2_found_cert = ':'.join(i + j for i, j in zip(sha2_digest[::2], sha2_digest[1::2])) + if cert: if sha1_found_cert == cert: - log.debug('Cert %s OK', sha1_found_cert) log.debug('Current hash is SHA-1, moving to SHA-2 (%s)', sha2_found_cert) config.set_and_save('certificate', sha2_found_cert) @@ -1214,44 +1270,7 @@ class HandlerCore: elif sha2_found_cert == cert: return else: - def cb(result): - if result: - self.core.information('New certificate accepted.', 'Info') - log.debug('Setting certificate to %s', sha2_found_cert) - if not config.silent_set('certificate', sha2_found_cert): - self.core.information( - 'Unable to write in the config file', - 'Error') - else: - self.core.information('You refused to validate the certificate. You are now disconnected.', 'Info') - self.core.disconnect() - new_loop.stop() - asyncio.set_event_loop(old_loop) - confirm_tab = tabs.ConfirmTab( - self.core, - 'Certificate check required', - """ -WARNING: CERTIFICATE FOR %s CHANGED - -This can be part of a normal renewal process, but can also mean that \ -an attacker is performing a man-in-the-middle attack on your connection. -When in doubt, check with your administrator using another channel. - -SHA-512 of the old certificate: %s - -SHA-512 of the new certificate: %s -""" % (self.core.xmpp.boundjid.domain, cert, sha2_found_cert), - 'You need to accept or reject the certificate', - cb, - critical=True) - self.core.add_tab(confirm_tab, True) - self.core.doupdate() - old_loop = asyncio.get_event_loop() - new_loop = asyncio.new_event_loop() - asyncio.set_event_loop(new_loop) - new_loop.add_reader(sys.stdin, self.core.on_input_readable) - curses.beep() - new_loop.run_forever() + self._ssl_pop_tab(cert, sha2_found_cert) else: log.debug('First time. Setting certificate to %s', sha2_found_cert) if not config.silent_set('certificate', sha2_found_cert): @@ -1274,14 +1293,7 @@ SHA-512 of the new certificate: %s c_id, c_url, c_method = confirm['id'], confirm['url'], confirm['method'] confirm_tab = tabs.ConfirmTab(self.core, 'HTTP Verification', - """ -Someone (maybe you) has requested an identity verification -using method "%s" for the url "%s". - -The transaction id is: %s -And the XMPP address of the verification service is %s. - -""" % (c_method, c_url, c_id, stanza['from'].full), + HTTP_VERIF_TEXT % (c_method, c_url, c_id, stanza['from'].full), 'An HTTP verification was requested', cb, critical=False) |