func (u *gtkUI) connectionInfoDialog(account *account) { assertInUIThread() dialogID := "ConnectionInformation" builder := newBuilder(dialogID) var dialog gtki.Dialog var server, tlsAlgo, tlsVersion, tlsFingerprint gtki.Label var pinCertButton gtki.Button builder.getItems( dialogID, &dialog, "serverValue", &server, "tlsAlgoValue", &tlsAlgo, "tlsVersionValue", &tlsVersion, "tlsFingerprintValue", &tlsFingerprint, "pin-cert", &pinCertButton, ) tlsConn := account.session.Conn().RawOut().(*tls.Conn) serverAddress := account.session.Conn().ServerAddress() if serverAddress == "" { parts := strings.SplitN(account.session.GetConfig().Account, "@", 2) serverAddress = parts[1] } server.SetLabel(serverAddress) tlsAlgo.SetLabel(xmpp.GetCipherSuiteName(tlsConn.ConnectionState())) tlsVersion.SetLabel(xmpp.GetTLSVersion(tlsConn.ConnectionState())) certs := tlsConn.ConnectionState().PeerCertificates chunks := splitStringEvery(fmt.Sprintf("%X", digests.Sha3_256(certs[0].Raw)), chunkingDefaultGrouping) tlsFingerprint.SetLabel(fmt.Sprintf("%s %s %s %s\n%s %s %s %s", chunks[0], chunks[1], chunks[2], chunks[3], chunks[4], chunks[5], chunks[6], chunks[7])) if checkPinned(account.session.GetConfig(), certs) { pinCertButton.SetSensitive(false) } builder.ConnectSignals(map[string]interface{}{ "on_close_signal": func() { dialog.Destroy() }, "on_pin_signal": func() { account.session.GetConfig().SaveCert(certs[0].Subject.CommonName, certs[0].Issuer.CommonName, digests.Sha3_256(certs[0].Raw)) u.SaveConfig() pinCertButton.SetSensitive(false) }, }) dialog.SetTransientFor(u.window) dialog.ShowAll() }
func (u *gtkUI) certificateFailedToVerifyDisplayDialog(a *account, certs []*x509.Certificate, c chan<- bool, tp, extra string) { doInUIThread(func() { builder := newBuilder("CertificateDialog") var md gtki.Dialog var message gtki.Label var issuedToCN, issuedToO, snis, issuedToOU, serial gtki.Label var issuedByCN, issuedByO, issuedByOU gtki.Label var issuedOn, expiresOn gtki.Label var sha1Fingerprint, sha256Fingerprint, sha3_256Fingerprint gtki.Label builder.getItems( "dialog", &md, "message", &message, "issuedToCnValue", &issuedToCN, "issuedToOValue", &issuedToO, "issuedToOUValue", &issuedToOU, "snisValue", &snis, "SNValue", &serial, "issuedByCnValue", &issuedByCN, "issuedByOValue", &issuedByO, "issuedByOUValue", &issuedByOU, "issuedOnValue", &issuedOn, "expiresOnValue", &expiresOn, "sha1FingerprintValue", &sha1Fingerprint, "sha256FingerprintValue", &sha256Fingerprint, "sha3_256FingerprintValue", &sha3_256Fingerprint, ) issuedToCN.SetLabel(certs[0].Subject.CommonName) issuedToO.SetLabel(strings.Join(certs[0].Subject.Organization, ", ")) issuedToOU.SetLabel(strings.Join(certs[0].Subject.OrganizationalUnit, ", ")) serial.SetLabel(certs[0].SerialNumber.String()) ss := certs[0].DNSNames[:] sort.Strings(ss) snis.SetLabel(strings.Join(ss, ", ")) issuedByCN.SetLabel(certs[0].Issuer.CommonName) issuedByO.SetLabel(strings.Join(certs[0].Issuer.Organization, ", ")) issuedByOU.SetLabel(strings.Join(certs[0].Issuer.OrganizationalUnit, ", ")) issuedOn.SetLabel(certs[0].NotBefore.Format(time.RFC822)) expiresOn.SetLabel(certs[0].NotAfter.Format(time.RFC822)) sha1Fingerprint.SetLabel(displayChunked(digests.Sha1(certs[0].Raw))) sha256Fingerprint.SetLabel(displayChunked(digests.Sha256(certs[0].Raw))) sha3_256Fingerprint.SetLabel(displayChunked(digests.Sha3_256(certs[0].Raw))) accountName := "this account" if a != nil { accountName = a.session.GetConfig().Account } md.SetTitle(strings.Replace(md.GetTitle(), "ACCOUNT_NAME", accountName, -1)) switch tp { case "verify": message.SetLabel(fmt.Sprintf("We couldn't verify the certificate for the connection to account %s. This can happen if the server you are connecting to doesn't use the traditional certificate hierarchies. It can also be the symptom of an attack.\n\nTry to verify that this information is correct before proceeding with the connection.", accountName)) case "hostname": message.SetLabel(fmt.Sprintf("The certificate for the connection to account %s is correct, but the names for it doesn't match. We need a certificate for the name %s, but this wasn't provided. This can happen if the server is configured incorrectly or there are other reasons the proper name couldn't be used. This is very common for corporate Google accounts. It can also be the symptom of an attack.\n\nTry to verify that this information is correct before proceeding with the connection.", accountName, extra)) case "pinning": message.SetLabel(fmt.Sprintf("The certificate for the connection to account %s is correct - but you have a pinning policy that requires us to ask whether you would like to continue connecting using this certificate, save it for the future, or stop connecting.\n\nTry to verify that this information is correct before proceeding with the connection.", accountName)) } md.SetTransientFor(u.window) md.ShowAll() switch gtki.ResponseType(md.Run()) { case gtki.RESPONSE_OK: c <- true case gtki.RESPONSE_ACCEPT: if a != nil { a.session.GetConfig().SaveCert(certs[0].Subject.CommonName, certs[0].Issuer.CommonName, digests.Sha3_256(certs[0].Raw)) u.SaveConfig() } c <- true case gtki.RESPONSE_CANCEL: if a != nil { a.session.SetWantToBeOnline(false) } c <- false default: a.session.SetWantToBeOnline(false) c <- false } md.Destroy() }) }