Beispiel #1
0
func (u *gtkUI) verifierFor(account *account) ourtls.Verifier {
	conf := account.session.GetConfig()
	return &ourtls.BasicVerifier{
		OnNoPeerCertificates: func() { account.session.SetWantToBeOnline(false) },
		OnPinDeny:            func() { account.session.SetWantToBeOnline(false) },
		HasPinned:            func(certs []*x509.Certificate) bool { return checkPinned(conf, certs) },
		VerifyFailure: func(certs []*x509.Certificate, err error) error {
			if <-u.certificateFailedToVerify(account, certs) {
				return nil
			}
			return errors.New("tls: failed to verify TLS certificate: " + err.Error())
		},
		VerifyHostnameFailure: func(certs []*x509.Certificate, origin string, err error) error {
			if <-u.certificateFailedToVerifyHostname(account, certs, origin) {
				return nil
			}
			return errors.New("tls: failed to match TLS certificate to name: " + err.Error())
		},
		AddCert: func(cert *x509.Certificate) {
			conf.SaveCert(cert.Subject.CommonName, cert.Issuer.CommonName, digests.Sha3_256(cert.Raw))
			u.SaveConfig()
		},
		AskPinning: func(certs []*x509.Certificate) error {
			if <-u.validCertificateShouldBePinned(account, certs) {
				return nil
			}
			account.session.SetWantToBeOnline(false)
			return errors.New("tls: you manually denied the possibility of connecting using this certificate")
		},
		HasCertificates: func() bool { return len(conf.Certificates) > 0 },
		NeedToCheckPins: conf.PinningPolicy != "none",
		PinningPolicy:   conf.PinningPolicy,
	}
}
Beispiel #2
0
func (u *gtkUI) connectionInfoDialog(account *account) {
	assertInUIThread()

	dialogID := "ConnectionInformation"
	builder := newBuilder(dialogID)

	var dialog gtki.Dialog
	var server, tlsAlgo, tlsVersion, tlsFingerprint gtki.Label
	var pinCertButton gtki.Button

	builder.getItems(
		dialogID, &dialog,
		"serverValue", &server,
		"tlsAlgoValue", &tlsAlgo,
		"tlsVersionValue", &tlsVersion,
		"tlsFingerprintValue", &tlsFingerprint,
		"pin-cert", &pinCertButton,
	)

	tlsConn := account.session.Conn().RawOut().(*tls.Conn)

	serverAddress := account.session.Conn().ServerAddress()
	if serverAddress == "" {
		parts := strings.SplitN(account.session.GetConfig().Account, "@", 2)
		serverAddress = parts[1]
	}
	server.SetLabel(serverAddress)

	tlsAlgo.SetLabel(xmpp.GetCipherSuiteName(tlsConn.ConnectionState()))
	tlsVersion.SetLabel(xmpp.GetTLSVersion(tlsConn.ConnectionState()))

	certs := tlsConn.ConnectionState().PeerCertificates
	chunks := splitStringEvery(fmt.Sprintf("%X", digests.Sha3_256(certs[0].Raw)), chunkingDefaultGrouping)
	tlsFingerprint.SetLabel(fmt.Sprintf("%s %s %s %s\n%s %s %s %s", chunks[0], chunks[1], chunks[2], chunks[3], chunks[4], chunks[5], chunks[6], chunks[7]))

	if checkPinned(account.session.GetConfig(), certs) {
		pinCertButton.SetSensitive(false)
	}

	builder.ConnectSignals(map[string]interface{}{
		"on_close_signal": func() {
			dialog.Destroy()
		},

		"on_pin_signal": func() {
			account.session.GetConfig().SaveCert(certs[0].Subject.CommonName, certs[0].Issuer.CommonName, digests.Sha3_256(certs[0].Raw))
			u.SaveConfig()
			pinCertButton.SetSensitive(false)
		},
	})

	dialog.SetTransientFor(u.window)
	dialog.ShowAll()
}
Beispiel #3
0
// Matches returns true if this pin matches the given certificate
func (v *CertificatePin) Matches(cert *x509.Certificate) bool {
	r := cert.Raw
	var dig []byte
	switch v.FingerprintType {
	case "SHA1":
		dig = digests.Sha1(r)
	case "SHA256":
		dig = digests.Sha256(r)
	case "SHA3-256":
		dig = digests.Sha3_256(r)
	default:
		return false
	}

	return bytes.Equal(dig, v.Fingerprint)
}
Beispiel #4
0
func (u *gtkUI) certificateFailedToVerifyDisplayDialog(a *account, certs []*x509.Certificate, c chan<- bool, tp, extra string) {
	doInUIThread(func() {
		builder := newBuilder("CertificateDialog")

		var md gtki.Dialog
		var message gtki.Label
		var issuedToCN, issuedToO, snis, issuedToOU, serial gtki.Label
		var issuedByCN, issuedByO, issuedByOU gtki.Label
		var issuedOn, expiresOn gtki.Label
		var sha1Fingerprint, sha256Fingerprint, sha3_256Fingerprint gtki.Label

		builder.getItems(
			"dialog", &md,
			"message", &message,
			"issuedToCnValue", &issuedToCN,
			"issuedToOValue", &issuedToO,
			"issuedToOUValue", &issuedToOU,
			"snisValue", &snis,
			"SNValue", &serial,
			"issuedByCnValue", &issuedByCN,
			"issuedByOValue", &issuedByO,
			"issuedByOUValue", &issuedByOU,
			"issuedOnValue", &issuedOn,
			"expiresOnValue", &expiresOn,
			"sha1FingerprintValue", &sha1Fingerprint,
			"sha256FingerprintValue", &sha256Fingerprint,
			"sha3_256FingerprintValue", &sha3_256Fingerprint,
		)

		issuedToCN.SetLabel(certs[0].Subject.CommonName)
		issuedToO.SetLabel(strings.Join(certs[0].Subject.Organization, ", "))
		issuedToOU.SetLabel(strings.Join(certs[0].Subject.OrganizationalUnit, ", "))
		serial.SetLabel(certs[0].SerialNumber.String())
		ss := certs[0].DNSNames[:]
		sort.Strings(ss)
		snis.SetLabel(strings.Join(ss, ", "))

		issuedByCN.SetLabel(certs[0].Issuer.CommonName)
		issuedByO.SetLabel(strings.Join(certs[0].Issuer.Organization, ", "))
		issuedByOU.SetLabel(strings.Join(certs[0].Issuer.OrganizationalUnit, ", "))

		issuedOn.SetLabel(certs[0].NotBefore.Format(time.RFC822))
		expiresOn.SetLabel(certs[0].NotAfter.Format(time.RFC822))

		sha1Fingerprint.SetLabel(displayChunked(digests.Sha1(certs[0].Raw)))
		sha256Fingerprint.SetLabel(displayChunked(digests.Sha256(certs[0].Raw)))
		sha3_256Fingerprint.SetLabel(displayChunked(digests.Sha3_256(certs[0].Raw)))

		accountName := "this account"
		if a != nil {
			accountName = a.session.GetConfig().Account
		}

		md.SetTitle(strings.Replace(md.GetTitle(), "ACCOUNT_NAME", accountName, -1))

		switch tp {
		case "verify":
			message.SetLabel(fmt.Sprintf("We couldn't verify the certificate for the connection to account %s. This can happen if the server you are connecting to doesn't use the traditional certificate hierarchies. It can also be the symptom of an attack.\n\nTry to verify that this information is correct before proceeding with the connection.", accountName))
		case "hostname":
			message.SetLabel(fmt.Sprintf("The certificate for the connection to account %s is correct, but the names for it doesn't match. We need a certificate for the name %s, but this wasn't provided. This can happen if the server is configured incorrectly or there are other reasons the proper name couldn't be used. This is very common for corporate Google accounts. It can also be the symptom of an attack.\n\nTry to verify that this information is correct before proceeding with the connection.", accountName, extra))
		case "pinning":
			message.SetLabel(fmt.Sprintf("The certificate for the connection to account %s is correct - but you have a pinning policy that requires us to ask whether you would like to continue connecting using this certificate, save it for the future, or stop connecting.\n\nTry to verify that this information is correct before proceeding with the connection.", accountName))

		}

		md.SetTransientFor(u.window)

		md.ShowAll()

		switch gtki.ResponseType(md.Run()) {
		case gtki.RESPONSE_OK:
			c <- true
		case gtki.RESPONSE_ACCEPT:
			if a != nil {
				a.session.GetConfig().SaveCert(certs[0].Subject.CommonName, certs[0].Issuer.CommonName, digests.Sha3_256(certs[0].Raw))
				u.SaveConfig()
			}
			c <- true
		case gtki.RESPONSE_CANCEL:
			if a != nil {
				a.session.SetWantToBeOnline(false)
			}
			c <- false
		default:
			a.session.SetWantToBeOnline(false)
			c <- false
		}

		md.Destroy()
	})
}