--- a/mcabber/configure.ac Wed Feb 10 23:15:20 2016 +0100
+++ b/mcabber/configure.ac Sat Feb 13 11:05:07 2016 +0100
@@ -156,6 +156,12 @@
# Check for loudmouth
PKG_CHECK_MODULES(LOUDMOUTH, loudmouth-1.0 >= 1.4.2)
+PKG_CHECK_MODULES(LOUDMOUTH_SHA256, [loudmouth-1.0 >= 1.5.3],
+ AC_DEFINE([LOUDMOUTH_USES_SHA256], 1,
+ [loudmouth is now using a new digest]
+ ),
+ []
+ )
# Check for lm_ssl_set_cipher_list in loudmouth
AC_CHECK_LIB(loudmouth-1, lm_ssl_set_cipher_list,
--- a/mcabber/mcabber/utils.c Wed Feb 10 23:15:20 2016 +0100
+++ b/mcabber/mcabber/utils.c Sat Feb 13 11:05:07 2016 +0100
@@ -155,6 +155,7 @@
return g_strdup(fname);
}
+#ifndef LOUDMOUTH_USES_SHA256
// fingerprint_to_hex(fprstr, hex, fpr_len)
// Convert the binary fingerprint fprstr (which is fpr_len bytes long)
// to a NULL-terminated hexadecimal string hex.
@@ -199,6 +200,7 @@
}
return TRUE;
}
+#endif
static gboolean tracelog_create(void)
{
--- a/mcabber/mcabber/utils.h Wed Feb 10 23:15:20 2016 +0100
+++ b/mcabber/mcabber/utils.h Sat Feb 13 11:05:07 2016 +0100
@@ -21,8 +21,10 @@
const char *resource);
gboolean jid_equal(const char *jid1, const char *jid2);
+#ifndef LOUDMOUTH_USES_SHA256
void fingerprint_to_hex(const char *fpr, char *hex, size_t fpr_len);
gboolean hex_to_fingerprint(const char *hex, char *fpr, size_t fpr_len);
+#endif
void ut_init_debug(void);
void ut_write_log(unsigned int flag, const char *data);
--- a/mcabber/mcabber/xmpp.c Wed Feb 10 23:15:20 2016 +0100
+++ b/mcabber/mcabber/xmpp.c Sat Feb 13 11:05:07 2016 +0100
@@ -44,7 +44,9 @@
#define RECONNECTION_TIMEOUT 60L
-#define FINGERPRINT_LENGTH 16 // Currently Loudmouth only supports MD5
+#ifndef LOUDMOUTH_USES_SHA256
+#define FINGERPRINT_LENGTH 16 // old loudmouth still uses MD5 :(
+#endif
LmConnection* lconnection = NULL;
static guint AutoConnection;
@@ -723,13 +725,19 @@
"Certificate hostname does not match expected hostname!");
break;
case LM_SSL_STATUS_CERT_FINGERPRINT_MISMATCH: {
+#ifndef LOUDMOUTH_USES_SHA256
char fpr[3*FINGERPRINT_LENGTH] = {0};
fingerprint_to_hex(lm_ssl_get_fingerprint(ssl), fpr, FINGERPRINT_LENGTH);
+#endif
scr_LogPrint(LPRINT_LOGNORM,
"Certificate fingerprint does not match expected fingerprint!");
+#ifndef LOUDMOUTH_USES_SHA256
scr_LogPrint(LPRINT_LOGNORM, "Remote fingerprint: %s", fpr);
+#else
+ scr_LogPrint(LPRINT_LOGNORM, "Remote fingerprint: %s", lm_ssl_get_fingerprint(ssl));
+#endif
- scr_LogPrint(LPRINT_LOGNORM, "Expected fingerprint: %s",
+ scr_LogPrint(LPRINT_LOGNORM, "Expect fingerprint: %s",
settings_opt_get("ssl_fingerprint"));
return LM_SSL_RESPONSE_STOP;
@@ -752,10 +760,15 @@
{
LmSSL *lssl;
if ((lssl = lm_connection_get_ssl(connection)) != NULL) {
+#ifndef LOUDMOUTH_USES_SHA256
char fpr[3*FINGERPRINT_LENGTH] = {0};
fingerprint_to_hex(lm_ssl_get_fingerprint(lssl), fpr, FINGERPRINT_LENGTH);
scr_LogPrint(LPRINT_LOGNORM, "Connection established.\n"
"Remote fingerprint: %s", fpr);
+#else
+ scr_LogPrint(LPRINT_LOGNORM, "Connection established.\n"
+ "Remote fingerprint: %s", lm_ssl_get_fingerprint(lssl));
+#endif
}
if (success) {
@@ -1757,7 +1770,9 @@
{
const char *userjid, *password, *resource, *servername, *ssl_fpr;
char *dynresource = NULL;
+#ifndef LOUDMOUTH_USES_SHA256
char fpr[FINGERPRINT_LENGTH] = {0};
+#endif
const char *proxy_host;
const char *resource_prefix = PACKAGE_NAME;
char *fjid;
@@ -1902,6 +1917,7 @@
port = (ssl ? LM_CONNECTION_DEFAULT_PORT_SSL : LM_CONNECTION_DEFAULT_PORT);
lm_connection_set_port(lconnection, port);
+#ifndef LOUDMOUTH_USES_SHA256
if (ssl_fpr && (!hex_to_fingerprint(ssl_fpr, fpr, FINGERPRINT_LENGTH))) {
scr_LogPrint(LPRINT_LOGNORM, "** Please set the fingerprint in the format "
"97:5C:00:3F:1D:77:45:25:E2:C5:70:EC:83:C8:87:EE");
@@ -1909,6 +1925,9 @@
}
lssl = lm_ssl_new((ssl_fpr ? fpr : NULL), ssl_cb, NULL, NULL);
+#else
+ lssl = lm_ssl_new(ssl_fpr, ssl_cb, NULL, NULL);
+#endif
if (lssl) {
#ifdef HAVE_LM_SSL_CIPHER_LIST
const char *ssl_ciphers = settings_opt_get("ssl_ciphers");
--- a/mcabber/mcabberrc.example Wed Feb 10 23:15:20 2016 +0100
+++ b/mcabber/mcabberrc.example Sat Feb 13 11:05:07 2016 +0100
@@ -61,9 +61,9 @@
# ssl certificate matches ssl_fingerprint.
# You can get the fingerprint of your server either with gnutls or openssl:
# 1. gnutls-cli -p 5223 $your_server
-# 2. openssl s_client -connect $your_server:5223 | \
-# openssl x509 -fingerprint -md5 -noout
-#set ssl_fingerprint = 97:5C:00:3F:1D:77:45:25:E2:C5:70:EC:83:C8:87:EE
+# 2. openssl s_client -starttls xmpp -connect $yourserver:5222 | \
+# openssl x509 -fingerprint -sha256 -noout
+#set ssl_fingerprint = SHA256:647d2eef7f972001d4fe8b6bedb3007d095dcd982ebb6773c6fb74adb8cc27c0
# Set ssl_ignore_checks to 1 to disable all certificate checks except the
# fingerprint check.
#set ssl_ignore_checks = 0