From 7c74e6615dcf3d1ec288028ee1e49d2556cafffe Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?P=C5=99emysl=20Eric=20Janouch?= <p@janouch.name>
Date: Mon, 26 Sep 2022 13:56:45 +0200
Subject: xD: use SHA-256 for certificate fingerprints

Just like xS.  2.0.0 is the ideal time for such a breaking change.
---
 xD.c | 8 ++++----
 1 file changed, 4 insertions(+), 4 deletions(-)

(limited to 'xD.c')

diff --git a/xD.c b/xD.c
index 65ebe7e..56fd8ea 100644
--- a/xD.c
+++ b/xD.c
@@ -49,7 +49,7 @@ static struct simple_config_item g_config_table[] =
 	{ "tls_key",         NULL,              "Server TLS private key (PEM)"   },
 	{ "tls_ciphers",     DEFAULT_CIPHERS,   "OpenSSL cipher list"            },
 
-	{ "operators",       NULL, "IRCop TLS client cert. SHA-1 fingerprints"   },
+	{ "operators",       NULL, "IRCop TLS client cert. SHA-256 fingerprints" },
 
 	{ "max_connections", "0",               "Global connection limit"        },
 	{ "ping_interval",   "180",             "Interval between PINGs (sec)"   },
@@ -296,7 +296,7 @@ irc_is_valid_user_mask (const char *mask)
 static bool
 irc_is_valid_fingerprint (const char *fp)
 {
-	return irc_regex_match ("^[a-fA-F0-9]{40}$", fp);
+	return irc_regex_match ("^[a-fA-F0-9]{64}$", fp);
 }
 
 // --- Clients (equals users) --------------------------------------------------
@@ -1005,8 +1005,8 @@ client_get_ssl_cert_fingerprint (struct client *c)
 	if (i2d_X509 (peer_cert, &p) < 0)
 		return NULL;
 
-	unsigned char hash[SHA_DIGEST_LENGTH];
-	SHA1 (cert, cert_len, hash);
+	unsigned char hash[SHA256_DIGEST_LENGTH];
+	SHA256 (cert, cert_len, hash);
 
 	struct str fingerprint = str_make ();
 	for (size_t i = 0; i < sizeof hash; i++)
-- 
cgit v1.2.3