func (u *gtkUI) verifierFor(account *account) ourtls.Verifier {
conf := account.session.GetConfig()
return &ourtls.BasicVerifier{
OnNoPeerCertificates: func() { account.session.SetWantToBeOnline(false) },
OnPinDeny: func() { account.session.SetWantToBeOnline(false) },
HasPinned: func(certs []*x509.Certificate) bool { return checkPinned(conf, certs) },
VerifyFailure: func(certs []*x509.Certificate, err error) error {
if <-u.certificateFailedToVerify(account, certs) {
return nil
}
return errors.New("tls: failed to verify TLS certificate: " + err.Error())
},
VerifyHostnameFailure: func(certs []*x509.Certificate, origin string, err error) error {
if <-u.certificateFailedToVerifyHostname(account, certs, origin) {
return nil
}
return errors.New("tls: failed to match TLS certificate to name: " + err.Error())
},
AddCert: func(cert *x509.Certificate) {
conf.SaveCert(cert.Subject.CommonName, cert.Issuer.CommonName, digests.Sha3_256(cert.Raw))
u.SaveConfig()
},
AskPinning: func(certs []*x509.Certificate) error {
if <-u.validCertificateShouldBePinned(account, certs) {
return nil
}
account.session.SetWantToBeOnline(false)
return errors.New("tls: you manually denied the possibility of connecting using this certificate")
},
HasCertificates: func() bool { return len(conf.Certificates) > 0 },
NeedToCheckPins: conf.PinningPolicy != "none",
PinningPolicy: conf.PinningPolicy,
}
}
func (u *gtkUI) connectionInfoDialog(account *account) {
assertInUIThread()
dialogID := "ConnectionInformation"
builder := newBuilder(dialogID)
var dialog gtki.Dialog
var server, tlsAlgo, tlsVersion, tlsFingerprint gtki.Label
var pinCertButton gtki.Button
builder.getItems(
dialogID, &dialog,
"serverValue", &server,
"tlsAlgoValue", &tlsAlgo,
"tlsVersionValue", &tlsVersion,
"tlsFingerprintValue", &tlsFingerprint,
"pin-cert", &pinCertButton,
)
tlsConn := account.session.Conn().RawOut().(*tls.Conn)
serverAddress := account.session.Conn().ServerAddress()
if serverAddress == "" {
parts := strings.SplitN(account.session.GetConfig().Account, "@", 2)
serverAddress = parts[1]
}
server.SetLabel(serverAddress)
tlsAlgo.SetLabel(xmpp.GetCipherSuiteName(tlsConn.ConnectionState()))
tlsVersion.SetLabel(xmpp.GetTLSVersion(tlsConn.ConnectionState()))
certs := tlsConn.ConnectionState().PeerCertificates
chunks := splitStringEvery(fmt.Sprintf("%X", digests.Sha3_256(certs[0].Raw)), chunkingDefaultGrouping)
tlsFingerprint.SetLabel(fmt.Sprintf("%s %s %s %s\n%s %s %s %s", chunks[0], chunks[1], chunks[2], chunks[3], chunks[4], chunks[5], chunks[6], chunks[7]))
if checkPinned(account.session.GetConfig(), certs) {
pinCertButton.SetSensitive(false)
}
builder.ConnectSignals(map[string]interface{}{
"on_close_signal": func() {
dialog.Destroy()
},
"on_pin_signal": func() {
account.session.GetConfig().SaveCert(certs[0].Subject.CommonName, certs[0].Issuer.CommonName, digests.Sha3_256(certs[0].Raw))
u.SaveConfig()
pinCertButton.SetSensitive(false)
},
})
dialog.SetTransientFor(u.window)
dialog.ShowAll()
}
// Matches returns true if this pin matches the given certificate
func (v *CertificatePin) Matches(cert *x509.Certificate) bool {
r := cert.Raw
var dig []byte
switch v.FingerprintType {
case "SHA1":
dig = digests.Sha1(r)
case "SHA256":
dig = digests.Sha256(r)
case "SHA3-256":
dig = digests.Sha3_256(r)
default:
return false
}
return bytes.Equal(dig, v.Fingerprint)
}
func (u *gtkUI) certificateFailedToVerifyDisplayDialog(a *account, certs []*x509.Certificate, c chan<- bool, tp, extra string) {
doInUIThread(func() {
builder := newBuilder("CertificateDialog")
var md gtki.Dialog
var message gtki.Label
var issuedToCN, issuedToO, snis, issuedToOU, serial gtki.Label
var issuedByCN, issuedByO, issuedByOU gtki.Label
var issuedOn, expiresOn gtki.Label
var sha1Fingerprint, sha256Fingerprint, sha3_256Fingerprint gtki.Label
builder.getItems(
"dialog", &md,
"message", &message,
"issuedToCnValue", &issuedToCN,
"issuedToOValue", &issuedToO,
"issuedToOUValue", &issuedToOU,
"snisValue", &snis,
"SNValue", &serial,
"issuedByCnValue", &issuedByCN,
"issuedByOValue", &issuedByO,
"issuedByOUValue", &issuedByOU,
"issuedOnValue", &issuedOn,
"expiresOnValue", &expiresOn,
"sha1FingerprintValue", &sha1Fingerprint,
"sha256FingerprintValue", &sha256Fingerprint,
"sha3_256FingerprintValue", &sha3_256Fingerprint,
)
issuedToCN.SetLabel(certs[0].Subject.CommonName)
issuedToO.SetLabel(strings.Join(certs[0].Subject.Organization, ", "))
issuedToOU.SetLabel(strings.Join(certs[0].Subject.OrganizationalUnit, ", "))
serial.SetLabel(certs[0].SerialNumber.String())
ss := certs[0].DNSNames[:]
sort.Strings(ss)
snis.SetLabel(strings.Join(ss, ", "))
issuedByCN.SetLabel(certs[0].Issuer.CommonName)
issuedByO.SetLabel(strings.Join(certs[0].Issuer.Organization, ", "))
issuedByOU.SetLabel(strings.Join(certs[0].Issuer.OrganizationalUnit, ", "))
issuedOn.SetLabel(certs[0].NotBefore.Format(time.RFC822))
expiresOn.SetLabel(certs[0].NotAfter.Format(time.RFC822))
sha1Fingerprint.SetLabel(displayChunked(digests.Sha1(certs[0].Raw)))
sha256Fingerprint.SetLabel(displayChunked(digests.Sha256(certs[0].Raw)))
sha3_256Fingerprint.SetLabel(displayChunked(digests.Sha3_256(certs[0].Raw)))
accountName := "this account"
if a != nil {
accountName = a.session.GetConfig().Account
}
md.SetTitle(strings.Replace(md.GetTitle(), "ACCOUNT_NAME", accountName, -1))
switch tp {
case "verify":
message.SetLabel(fmt.Sprintf("We couldn't verify the certificate for the connection to account %s. This can happen if the server you are connecting to doesn't use the traditional certificate hierarchies. It can also be the symptom of an attack.\n\nTry to verify that this information is correct before proceeding with the connection.", accountName))
case "hostname":
message.SetLabel(fmt.Sprintf("The certificate for the connection to account %s is correct, but the names for it doesn't match. We need a certificate for the name %s, but this wasn't provided. This can happen if the server is configured incorrectly or there are other reasons the proper name couldn't be used. This is very common for corporate Google accounts. It can also be the symptom of an attack.\n\nTry to verify that this information is correct before proceeding with the connection.", accountName, extra))
case "pinning":
message.SetLabel(fmt.Sprintf("The certificate for the connection to account %s is correct - but you have a pinning policy that requires us to ask whether you would like to continue connecting using this certificate, save it for the future, or stop connecting.\n\nTry to verify that this information is correct before proceeding with the connection.", accountName))
}
md.SetTransientFor(u.window)
md.ShowAll()
switch gtki.ResponseType(md.Run()) {
case gtki.RESPONSE_OK:
c <- true
case gtki.RESPONSE_ACCEPT:
if a != nil {
a.session.GetConfig().SaveCert(certs[0].Subject.CommonName, certs[0].Issuer.CommonName, digests.Sha3_256(certs[0].Raw))
u.SaveConfig()
}
c <- true
case gtki.RESPONSE_CANCEL:
if a != nil {
a.session.SetWantToBeOnline(false)
}
c <- false
default:
a.session.SetWantToBeOnline(false)
c <- false
}
md.Destroy()
})
}