summaryrefslogtreecommitdiff
diff options
context:
space:
mode:
authorPřemysl Eric Janouch <p@janouch.name>2022-09-26 13:56:45 +0200
committerPřemysl Eric Janouch <p@janouch.name>2022-09-26 13:58:08 +0200
commit7c74e6615dcf3d1ec288028ee1e49d2556cafffe (patch)
tree583ac1609799b525b4e9d312a5ae69d0a19ada19
parent614fd98fc1c78a1106928dcc1644abc520777956 (diff)
downloadxK-7c74e6615dcf3d1ec288028ee1e49d2556cafffe.tar.gz
xK-7c74e6615dcf3d1ec288028ee1e49d2556cafffe.tar.xz
xK-7c74e6615dcf3d1ec288028ee1e49d2556cafffe.zip
xD: use SHA-256 for certificate fingerprints
Just like xS. 2.0.0 is the ideal time for such a breaking change.
-rw-r--r--NEWS2
-rw-r--r--README.adoc4
-rw-r--r--xD.c8
3 files changed, 8 insertions, 6 deletions
diff --git a/NEWS b/NEWS
index 803dc03..e7a492f 100644
--- a/NEWS
+++ b/NEWS
@@ -1,5 +1,7 @@
2.0.0 (Unreleased)
+ * xD: now using SHA-256 for client certificate fingerprints
+
* xD: implemented WALLOPS, choosing to make it target even non-operators
* xC: made it show WALLOPS messages, as PRIVMSG for the server buffer
diff --git a/README.adoc b/README.adoc
index 0bf29b2..beb03b4 100644
--- a/README.adoc
+++ b/README.adoc
@@ -141,10 +141,10 @@ Client Certificates
certificate specified by the respective server's `tls_cert` option if you add
`sasl` to the `capabilities` option and the server supports this.
-'xD' uses SHA-1 fingerprints of TLS client certificates to authenticate users.
+'xD' uses SHA-256 fingerprints of TLS client certificates to authenticate users.
To get the fingerprint from a certificate file in the required form, use:
- $ openssl x509 -in public.pem -outform DER | sha1sum
+ $ openssl x509 -in public.pem -outform DER | sha256sum
Custom Key Bindings in xC
-------------------------
diff --git a/xD.c b/xD.c
index 65ebe7e..56fd8ea 100644
--- a/xD.c
+++ b/xD.c
@@ -49,7 +49,7 @@ static struct simple_config_item g_config_table[] =
{ "tls_key", NULL, "Server TLS private key (PEM)" },
{ "tls_ciphers", DEFAULT_CIPHERS, "OpenSSL cipher list" },
- { "operators", NULL, "IRCop TLS client cert. SHA-1 fingerprints" },
+ { "operators", NULL, "IRCop TLS client cert. SHA-256 fingerprints" },
{ "max_connections", "0", "Global connection limit" },
{ "ping_interval", "180", "Interval between PINGs (sec)" },
@@ -296,7 +296,7 @@ irc_is_valid_user_mask (const char *mask)
static bool
irc_is_valid_fingerprint (const char *fp)
{
- return irc_regex_match ("^[a-fA-F0-9]{40}$", fp);
+ return irc_regex_match ("^[a-fA-F0-9]{64}$", fp);
}
// --- Clients (equals users) --------------------------------------------------
@@ -1005,8 +1005,8 @@ client_get_ssl_cert_fingerprint (struct client *c)
if (i2d_X509 (peer_cert, &p) < 0)
return NULL;
- unsigned char hash[SHA_DIGEST_LENGTH];
- SHA1 (cert, cert_len, hash);
+ unsigned char hash[SHA256_DIGEST_LENGTH];
+ SHA256 (cert, cert_len, hash);
struct str fingerprint = str_make ();
for (size_t i = 0; i < sizeof hash; i++)