xD: use SHA-256 for certificate fingerprints

Just like xS.  2.0.0 is the ideal time for such a breaking change.
This commit is contained in:
Přemysl Eric Janouch 2022-09-26 13:56:45 +02:00
parent 614fd98fc1
commit 7c74e6615d
Signed by: p
GPG Key ID: A0420B94F92B9493
3 changed files with 8 additions and 6 deletions

2
NEWS
View File

@ -1,5 +1,7 @@
2.0.0 (Unreleased) 2.0.0 (Unreleased)
* xD: now using SHA-256 for client certificate fingerprints
* xD: implemented WALLOPS, choosing to make it target even non-operators * xD: implemented WALLOPS, choosing to make it target even non-operators
* xC: made it show WALLOPS messages, as PRIVMSG for the server buffer * xC: made it show WALLOPS messages, as PRIVMSG for the server buffer

View File

@ -141,10 +141,10 @@ Client Certificates
certificate specified by the respective server's `tls_cert` option if you add certificate specified by the respective server's `tls_cert` option if you add
`sasl` to the `capabilities` option and the server supports this. `sasl` to the `capabilities` option and the server supports this.
'xD' uses SHA-1 fingerprints of TLS client certificates to authenticate users. 'xD' uses SHA-256 fingerprints of TLS client certificates to authenticate users.
To get the fingerprint from a certificate file in the required form, use: To get the fingerprint from a certificate file in the required form, use:
$ openssl x509 -in public.pem -outform DER | sha1sum $ openssl x509 -in public.pem -outform DER | sha256sum
Custom Key Bindings in xC Custom Key Bindings in xC
------------------------- -------------------------

8
xD.c
View File

@ -49,7 +49,7 @@ static struct simple_config_item g_config_table[] =
{ "tls_key", NULL, "Server TLS private key (PEM)" }, { "tls_key", NULL, "Server TLS private key (PEM)" },
{ "tls_ciphers", DEFAULT_CIPHERS, "OpenSSL cipher list" }, { "tls_ciphers", DEFAULT_CIPHERS, "OpenSSL cipher list" },
{ "operators", NULL, "IRCop TLS client cert. SHA-1 fingerprints" }, { "operators", NULL, "IRCop TLS client cert. SHA-256 fingerprints" },
{ "max_connections", "0", "Global connection limit" }, { "max_connections", "0", "Global connection limit" },
{ "ping_interval", "180", "Interval between PINGs (sec)" }, { "ping_interval", "180", "Interval between PINGs (sec)" },
@ -296,7 +296,7 @@ irc_is_valid_user_mask (const char *mask)
static bool static bool
irc_is_valid_fingerprint (const char *fp) irc_is_valid_fingerprint (const char *fp)
{ {
return irc_regex_match ("^[a-fA-F0-9]{40}$", fp); return irc_regex_match ("^[a-fA-F0-9]{64}$", fp);
} }
// --- Clients (equals users) -------------------------------------------------- // --- Clients (equals users) --------------------------------------------------
@ -1005,8 +1005,8 @@ client_get_ssl_cert_fingerprint (struct client *c)
if (i2d_X509 (peer_cert, &p) < 0) if (i2d_X509 (peer_cert, &p) < 0)
return NULL; return NULL;
unsigned char hash[SHA_DIGEST_LENGTH]; unsigned char hash[SHA256_DIGEST_LENGTH];
SHA1 (cert, cert_len, hash); SHA256 (cert, cert_len, hash);
struct str fingerprint = str_make (); struct str fingerprint = str_make ();
for (size_t i = 0; i < sizeof hash; i++) for (size_t i = 0; i < sizeof hash; i++)