patch 7cf737ec305ade9759d13a9fa2f5ef70b6158c45
Author: Enrique D. Bosch <presidev@AT@gmail.com>
Date: Wed Jun 8 00:14:13 CEST 2016
* Add an option (tls_ca_subject) to check the subject of the root certificate, to avoid attacks with leaf certificates generated by compromissed or malicious certificate authorities, this is a key pinning mechanism
diff -rN -u old-idlebiff/.idlebiffrc new-idlebiff/.idlebiffrc
--- old-idlebiff/.idlebiffrc 2024-11-22 15:55:19.923307902 +0100
+++ new-idlebiff/.idlebiffrc 2024-11-22 15:55:19.923307902 +0100
@@ -22,6 +22,7 @@
tls_validate_cert=1
tls_ca_dir=
tls_ca_file=
+tls_ca_subject=
tls_client_cert=
tls_client_key=
tls_ciphers=DEFAULT:!SSLv3
diff -rN -u old-idlebiff/idlebiff new-idlebiff/idlebiff
--- old-idlebiff/idlebiff 2024-11-22 15:55:19.923307902 +0100
+++ new-idlebiff/idlebiff 2024-11-22 15:55:19.923307902 +0100
@@ -27,7 +27,13 @@
package require tooltip
-namespace eval static { variable tag 1 }
+namespace eval static \
+{
+ variable tag 1
+ variable ccsp 0
+ array set ccsu {}
+}
+
namespace eval shared \
{
variable idle 0
@@ -451,6 +457,32 @@
else { return $line }
}
+proc parse_cert_subject { sub } \
+{
+ set cst [ split [ string map { , = / = } $sub ] = ]
+ foreach v $cst { lappend cstp [ string trim $v ] }
+ return $cstp
+}
+
+proc tls_cb { type channel depth cert status error } \
+{
+ variable ::shared::conf
+ variable ::static::ccsu
+ variable ::static::ccsp
+
+ array set ca $cert
+ if { $conf(tls_ca_subject)!="" && $type=="verify" && $ca(subject)==$ca(issuer) } \
+ {
+ array set csu [ parse_cert_subject $ca(subject) ]
+ if !$ccsp \
+ {
+ array set ccsu [ parse_cert_subject $conf(tls_ca_subject) ]
+ set ccsp 1
+ }
+ foreach i [ array names ccsu ] \
+ { if { ![ info exists csu($i) ] || $csu($i)!=$ccsu($i) } { error cert } }
+ }
+}
proc init_tls { } \
{
@@ -469,7 +501,8 @@
-keyfile \"$conf(tls_client_key)\" \
-request 1 \
-require \"$conf(tls_validate_cert)\" \
- -cipher \"$conf(tls_ciphers)\""
+ -cipher \"$conf(tls_ciphers)\" \
+ -command tls_cb"
} \
else { set sock socket }
}