patch 7cf737ec305ade9759d13a9fa2f5ef70b6158c45

Author: Enrique D. Bosch <presidev@AT@gmail.com>

Date: Wed Jun 8 00:14:13 CEST 2016

* Add an option (tls_ca_subject) to check the subject of the root certificate, to avoid attacks with leaf certificates generated by compromissed or malicious certificate authorities, this is a key pinning mechanism

--- old-idlebiff/.idlebiffrc 2024-05-06 12:28:44.689043177 +0200

+++ new-idlebiff/.idlebiffrc 2024-05-06 12:28:44.689043177 +0200

@@ -22,6 +22,7 @@

tls_validate_cert=1

tls_ca_dir=

tls_ca_file=

+tls_ca_subject=

tls_client_cert=

tls_client_key=

tls_ciphers=DEFAULT:!SSLv3

--- old-idlebiff/idlebiff 2024-05-06 12:28:44.689043177 +0200

+++ new-idlebiff/idlebiff 2024-05-06 12:28:44.689043177 +0200

@@ -27,7 +27,13 @@

package require tooltip

-namespace eval static { variable tag 1 }

+namespace eval static \

+{

+ variable tag 1

+ variable ccsp 0

+ array set ccsu {}

+}

+

namespace eval shared \

{

variable idle 0

@@ -451,6 +457,32 @@

else { return $line }

}

+proc parse_cert_subject { sub } \

+{

+ set cst [ split [ string map { , = / = } $sub ] = ]

+ foreach v $cst { lappend cstp [ string trim $v ] }

+ return $cstp

+}

+

+proc tls_cb { type channel depth cert status error } \

+{

+ variable ::shared::conf

+ variable ::static::ccsu

+ variable ::static::ccsp

+

+ array set ca $cert

+ if { $conf(tls_ca_subject)!="" && $type=="verify" && $ca(subject)==$ca(issuer) } \

+ {

+ array set csu [ parse_cert_subject $ca(subject) ]

+ if !$ccsp \

+ {

+ array set ccsu [ parse_cert_subject $conf(tls_ca_subject) ]

+ set ccsp 1

+ }

+ foreach i [ array names ccsu ] \

+ { if { ![ info exists csu($i) ] || $csu($i)!=$ccsu($i) } { error cert } }

+ }

+}

proc init_tls { } \

{

@@ -469,7 +501,8 @@

-keyfile \"$conf(tls_client_key)\" \

-request 1 \

-require \"$conf(tls_validate_cert)\" \

- -cipher \"$conf(tls_ciphers)\""

+ -cipher \"$conf(tls_ciphers)\" \

+ -command tls_cb"

} \

else { set sock socket }

}