From: Aki Tuomi <aki.tuomi@open-xchange.com>
Date: Tue, 31 Dec 2024 10:04:00 +0000 (+0200)
Subject: lib-ssl-iostream: Add ssl_peer_certificate_fingerprint_hash setting
X-Git-Tag: 2.4.2~746
X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=6c0b7b08632613b2ab197d1d4b116b935fb8a252;p=thirdparty%2Fdovecot%2Fcore.git

lib-ssl-iostream: Add ssl_peer_certificate_fingerprint_hash setting
---

diff --git a/src/lib-ssl-iostream/iostream-openssl-context.c b/src/lib-ssl-iostream/iostream-openssl-context.c
index 9f6c77132d..01de485b57 100644
--- a/src/lib-ssl-iostream/iostream-openssl-context.c
+++ b/src/lib-ssl-iostream/iostream-openssl-context.c
@@ -847,7 +847,8 @@ ssl_iostream_context_init_common(struct ssl_iostream_context *ctx,
 	if (set->cert_hash_algo != NULL && *set->cert_hash_algo != '\0') {
 		ctx->pcert_fp_algo = EVP_get_digestbyname(set->cert_hash_algo);
 		if (ctx->pcert_fp_algo == NULL) {
-			*error_r = t_strdup_printf("Unsupported hash algorithm '%s'",
+			*error_r = t_strdup_printf("Unsupported hash algorithm '%s' "
+						   "(ssl_peer_certificate_fingerprint_hash setting)",
 						   set->cert_hash_algo);
 			return -1;
 		}
diff --git a/src/lib-ssl-iostream/ssl-settings.c b/src/lib-ssl-iostream/ssl-settings.c
index deb30942e8..9572f978ef 100644
--- a/src/lib-ssl-iostream/ssl-settings.c
+++ b/src/lib-ssl-iostream/ssl-settings.c
@@ -32,6 +32,7 @@ static const struct setting_define ssl_setting_defines[] = {
 
 	DEF(BOOL, ssl_client_require_valid_cert),
 	DEF(STR, ssl_options), /* parsed as a string to set bools */
+	DEF(STR, ssl_peer_certificate_fingerprint_hash),
 
 	SETTING_DEFINE_LIST_END
 };
@@ -51,6 +52,8 @@ const struct ssl_settings ssl_default_settings = {
 
 	.ssl_client_require_valid_cert = TRUE,
 	.ssl_options = "",
+
+	.ssl_peer_certificate_fingerprint_hash = "",
 };
 
 static const struct setting_keyvalue ssl_default_settings_keyvalue[] = {
@@ -152,6 +155,21 @@ ssl_settings_check(void *_set, pool_t pool ATTR_UNUSED,
 		}
 	}
 
+	/* Hashing algorithms considered unsafe for
+	   fingerprinting purposes. */
+	static const char *const unsafe_hash_algos[] = {
+		"md4", "md5", "sha1", "rmd160", "sm3", NULL
+	};
+
+	if (str_array_icase_find(unsafe_hash_algos,
+				 set->ssl_peer_certificate_fingerprint_hash)) {
+		*error_r = t_strdup_printf(
+				"ssl_peer_certificate_fingerprint_hash: "
+				"Unsafe hash algorithm '%s' used",
+				set->ssl_peer_certificate_fingerprint_hash);
+		return FALSE;
+	}
+
 	return TRUE;
 }
 
@@ -222,6 +240,8 @@ ssl_common_settings_to_iostream_set(const struct ssl_settings *ssl_set)
 	set->compression = ssl_set->parsed_opts.compression;
 	set->tickets = ssl_set->parsed_opts.tickets;
 	set->curve_list = ssl_set->ssl_curve_list;
+	set->cert_hash_algo = ssl_set->ssl_peer_certificate_fingerprint_hash;
+
 	return set;
 }
 
diff --git a/src/lib-ssl-iostream/ssl-settings.h b/src/lib-ssl-iostream/ssl-settings.h
index 91d7137c6e..83b0815525 100644
--- a/src/lib-ssl-iostream/ssl-settings.h
+++ b/src/lib-ssl-iostream/ssl-settings.h
@@ -18,6 +18,7 @@ struct ssl_settings {
 	const char *ssl_min_protocol;
 	const char *ssl_crypto_device;
 	const char *ssl_options;
+	const char *ssl_peer_certificate_fingerprint_hash;
 
 	bool ssl_client_require_valid_cert;