From 7c74e6615dcf3d1ec288028ee1e49d2556cafffe Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?P=C5=99emysl=20Eric=20Janouch?=
Date: Mon, 26 Sep 2022 13:56:45 +0200 Subject: [PATCH] xD: use SHA-256 for certificate fingerprints Just like xS. 2.0.0 is the ideal time for such a breaking change. --- NEWS | 2 ++ README.adoc | 4 ++-- xD.c | 8 ++++---- 3 files changed, 8 insertions(+), 6 deletions(-) diff --git a/NEWS b/NEWS index 803dc03..e7a492f 100644 --- a/NEWS +++ b/NEWS @@ -1,5 +1,7 @@ 2.0.0 (Unreleased) + * xD: now using SHA-256 for client certificate fingerprints + * xD: implemented WALLOPS, choosing to make it target even non-operators * xC: made it show WALLOPS messages, as PRIVMSG for the server buffer diff --git a/README.adoc b/README.adoc index 0bf29b2..beb03b4 100644 --- a/README.adoc +++ b/README.adoc @@ -141,10 +141,10 @@ Client Certificates certificate specified by the respective server's `tls_cert` option if you add `sasl` to the `capabilities` option and the server supports this. -'xD' uses SHA-1 fingerprints of TLS client certificates to authenticate users. +'xD' uses SHA-256 fingerprints of TLS client certificates to authenticate users. To get the fingerprint from a certificate file in the required form, use: - $ openssl x509 -in public.pem -outform DER | sha1sum + $ openssl x509 -in public.pem -outform DER | sha256sum Custom Key Bindings in xC ------------------------- diff --git a/xD.c b/xD.c index 65ebe7e..56fd8ea 100644 --- a/xD.c +++ b/xD.c @@ -49,7 +49,7 @@ static struct simple_config_item g_config_table[] = { "tls_key", NULL, "Server TLS private key (PEM)" }, { "tls_ciphers", DEFAULT_CIPHERS, "OpenSSL cipher list" }, - { "operators", NULL, "IRCop TLS client cert. SHA-1 fingerprints" }, + { "operators", NULL, "IRCop TLS client cert. SHA-256 fingerprints" }, { "max_connections", "0", "Global connection limit" }, { "ping_interval", "180", "Interval between PINGs (sec)" }, @@ -296,7 +296,7 @@ irc_is_valid_user_mask (const char *mask) static bool irc_is_valid_fingerprint (const char *fp) { - return irc_regex_match ("^[a-fA-F0-9]{40}$", fp); + return irc_regex_match ("^[a-fA-F0-9]{64}$", fp); } // --- Clients (equals users) -------------------------------------------------- @@ -1005,8 +1005,8 @@ client_get_ssl_cert_fingerprint (struct client *c) if (i2d_X509 (peer_cert, &p) < 0) return NULL; - unsigned char hash[SHA_DIGEST_LENGTH]; - SHA1 (cert, cert_len, hash); + unsigned char hash[SHA256_DIGEST_LENGTH]; + SHA256 (cert, cert_len, hash); struct str fingerprint = str_make (); for (size_t i = 0; i < sizeof hash; i++)