patch 7cf737ec305ade9759d13a9fa2f5ef70b6158c45 Author: Enrique D. Bosch Date: Wed Jun 8 00:14:13 CEST 2016 * Add an option (tls_ca_subject) to check the subject of the root certificate, to avoid attacks with leaf certificates generated by compromissed or malicious certificate authorities, this is a key pinning mechanism diff -rN -u old-idlebiff/.idlebiffrc new-idlebiff/.idlebiffrc --- old-idlebiff/.idlebiffrc 2024-11-22 21:24:52.747909400 +0100 +++ new-idlebiff/.idlebiffrc 2024-11-22 21:24:52.747909400 +0100 @@ -22,6 +22,7 @@ tls_validate_cert=1 tls_ca_dir= tls_ca_file= +tls_ca_subject= tls_client_cert= tls_client_key= tls_ciphers=DEFAULT:!SSLv3 diff -rN -u old-idlebiff/idlebiff new-idlebiff/idlebiff --- old-idlebiff/idlebiff 2024-11-22 21:24:52.747909400 +0100 +++ new-idlebiff/idlebiff 2024-11-22 21:24:52.747909400 +0100 @@ -27,7 +27,13 @@ package require tooltip -namespace eval static { variable tag 1 } +namespace eval static \ +{ + variable tag 1 + variable ccsp 0 + array set ccsu {} +} + namespace eval shared \ { variable idle 0 @@ -451,6 +457,32 @@ else { return $line } } +proc parse_cert_subject { sub } \ +{ + set cst [ split [ string map { , = / = } $sub ] = ] + foreach v $cst { lappend cstp [ string trim $v ] } + return $cstp +} + +proc tls_cb { type channel depth cert status error } \ +{ + variable ::shared::conf + variable ::static::ccsu + variable ::static::ccsp + + array set ca $cert + if { $conf(tls_ca_subject)!="" && $type=="verify" && $ca(subject)==$ca(issuer) } \ + { + array set csu [ parse_cert_subject $ca(subject) ] + if !$ccsp \ + { + array set ccsu [ parse_cert_subject $conf(tls_ca_subject) ] + set ccsp 1 + } + foreach i [ array names ccsu ] \ + { if { ![ info exists csu($i) ] || $csu($i)!=$ccsu($i) } { error cert } } + } +} proc init_tls { } \ { @@ -469,7 +501,8 @@ -keyfile \"$conf(tls_client_key)\" \ -request 1 \ -require \"$conf(tls_validate_cert)\" \ - -cipher \"$conf(tls_ciphers)\"" + -cipher \"$conf(tls_ciphers)\" \ + -command tls_cb" } \ else { set sock socket } }