aboutsummaryrefslogtreecommitdiffstats
diff options
context:
space:
mode:
authorGuilhem Moulin <guilhem@fripost.org>2020-12-10 14:28:29 +0100
committerGuilhem Moulin <guilhem@fripost.org>2020-12-11 11:20:37 +0100
commit17b263c49df682fc45f0e50cceb01db4366ad9a7 (patch)
tree06f0d963294aa426deeebc046713263d90c6c072
parentc011e17d4f238882686e3f0e59c444a1c53ac8e3 (diff)
libinterimap: show the matching pinned SPKI in --debug mode.
-rw-r--r--Changelog1
-rw-r--r--lib/Net/IMAP/InterIMAP.pm1
-rw-r--r--tests/tls-pin-fingerprint/t9
-rw-r--r--tests/tls-rsa+ecdsa/t7
-rw-r--r--tests/tls-verify-peer/t2
5 files changed, 15 insertions, 5 deletions
diff --git a/Changelog b/Changelog
index 6036b46..cd474a0 100644
--- a/Changelog
+++ b/Changelog
@@ -1,5 +1,6 @@
interimap (0.5.4) upstream;
+ + libinterimap: show the matching pinned SPKI in --debug mode.
- documentation: replace example.org with example.net for consistency.
-- Guilhem Moulin <guilhem@fripost.org> Thu, 10 Dec 2020 14:22:05 +0100
diff --git a/lib/Net/IMAP/InterIMAP.pm b/lib/Net/IMAP/InterIMAP.pm
index 1a71f59..849dc0f 100644
--- a/lib/Net/IMAP/InterIMAP.pm
+++ b/lib/Net/IMAP/InterIMAP.pm
@@ -1635,6 +1635,7 @@ sub _ssl_verify($$$) {
my $pkey = Net::SSLeay::X509_get_X509_PUBKEY($cert);
if (defined $pkey and Net::SSLeay::EVP_Digest($pkey, $type) eq $digest) {
+ $self->log('Peer certificate matches pinned SPKI digest ', $algo .'$'. $fpr) if $self->{debug};
$rv = 1;
last;
}
diff --git a/tests/tls-pin-fingerprint/t b/tests/tls-pin-fingerprint/t
index d3830e2..6716833 100644
--- a/tests/tls-pin-fingerprint/t
+++ b/tests/tls-pin-fingerprint/t
@@ -28,7 +28,8 @@ check_mailbox_status "INBOX"
with_remote_config <<-EOF
SSL_fingerprint = $INVALID_FPR $PKEY_SHA256
EOF
-interimap || error
+interimap --debug || error
+grep -Fx "remote: Peer certificate matches pinned SPKI digest sha256\$$PKEY_SHA256" <"$STDERR" || error
# and now an invalid one
@@ -60,13 +61,15 @@ grep -Fx "remote: ERROR: Can't initiate TLS/SSL handshake" <"$STDERR" || error
with_remote_config <<-EOF
SSL_fingerprint = sha256\$$PKEY_SHA256 $INVALID_FPR
EOF
-interimap || error
+interimap --debug || error
+grep -Fx "remote: Peer certificate matches pinned SPKI digest sha256\$$PKEY_SHA256" <"$STDERR" || error
# invalid + valid
with_remote_config <<-EOF
SSL_fingerprint = $INVALID_FPR sha256\$$PKEY_SHA256
EOF
-interimap || error
+interimap --debug || error
+grep -Fx "remote: Peer certificate matches pinned SPKI digest sha256\$$PKEY_SHA256" <"$STDERR" || error
# vim: set filetype=sh :
diff --git a/tests/tls-rsa+ecdsa/t b/tests/tls-rsa+ecdsa/t
index 29352e9..2adf930 100644
--- a/tests/tls-rsa+ecdsa/t
+++ b/tests/tls-rsa+ecdsa/t
@@ -32,6 +32,9 @@ interimap --debug || error
grep -Fx -e "remote: Peer certificate fingerprint: sha256\$$X509_SHA256" \
-e "remote: Peer certificate fingerprint: sha256\$$X509_ALT_SHA256" \
<"$STDERR" || error
+grep -Fx -e "remote: Peer certificate matches pinned SPKI digest sha256\$$PKEY_SHA256" \
+ -e "remote: Peer certificate matches pinned SPKI digest sha256\$$PKEY_ALT_SHA256" \
+ <"$STDERR" || error
# force RSA (XXX do we really have to force TLSv1.2 here?)
cat >>"$XDG_CONFIG_HOME/interimap/config" <<-EOF
@@ -40,10 +43,12 @@ cat >>"$XDG_CONFIG_HOME/interimap/config" <<-EOF
EOF
interimap --debug || error
grep -Fx "remote: Peer certificate fingerprint: sha256\$$X509_SHA256" <"$STDERR" || error
+grep -Fx "remote: Peer certificate matches pinned SPKI digest sha256\$$PKEY_SHA256" <"$STDERR" || error
# force ECDSA
-sed -i "s/^SSL_cipherlist\\s*=.*/SSL_cipherlist = EECDH+AESGCM+aECDSA/" "$XDG_CONFIG_HOME/interimap/config"
+sed -i "s/^SSL_cipherlist\\s*=.*/SSL_cipherlist = EECDH+AESGCM+aECDSA/" -- "$XDG_CONFIG_HOME/interimap/config"
interimap --debug || error
grep -Fx "remote: Peer certificate fingerprint: sha256\$$X509_ALT_SHA256" <"$STDERR" || error
+grep -Fx "remote: Peer certificate matches pinned SPKI digest sha256\$$PKEY_ALT_SHA256" <"$STDERR" || error
# vim: set filetype=sh :
diff --git a/tests/tls-verify-peer/t b/tests/tls-verify-peer/t
index 9e4d9fa..35c7c8d 100644
--- a/tests/tls-verify-peer/t
+++ b/tests/tls-verify-peer/t
@@ -46,7 +46,7 @@ with_remote_config <<-EOF
SSL_fingerprint = sha256\$$PKEY_SHA256
EOF
unverified_peer
-! grep -Fx "remote: WARNING: Fingerprint doesn't match! MiTM in action?" <"$STDERR" || error
+grep -Fx "remote: Peer certificate matches pinned SPKI digest sha256\$$PKEY_SHA256" <"$STDERR" || error
step_done
capath=$(mktemp --tmpdir="$TMPDIR" --directory capath.XXXXXX)