Improved TOFU implementation

If a server sends a different certificate (checked by matching public key fingerprints), abort the connection at the TLS handshake stage.

A new error page is shown explaining the situation. A button is provided for conveniently opening Page Information, where trust can be updated.

The file format of "visited.txt" was updated, so it is now called "visited.2.txt". The new format includes server port numbers, and the fingerprints are calculated based on public keys.

IssueID #308
IssueID #309
IssueID #310

19 files changed, 92 insertions, 43 deletions

diff --git a/po/en.po b/po/en.po
index 6fdd685e..4f1e1eca 100644
--- a/po/en.po
+++ b/po/en.po
@@ -177,6 +177,9 @@ msgstr "Open Location…"
 msgid "menu.downloads"
 msgstr "Show Downloads"
 
+msgid "menu.pageinfo"
+msgstr "Show Page Information"
+
 msgid "menu.find"
 msgstr "Find on Page"
 
@@ -1495,6 +1498,12 @@ msgstr "Network/TLS Failure"
 msgid "error.tls.msg"
 msgstr "Failed to communicate with the server. Here is the error message:"
 
+msgid "error.certverify"
+msgstr "Untrusted Server"
+
+msgid "error.certverify.msg"
+msgstr "Connection to the server was aborted because the received TLS certificate does not match the one we trust. Please check if the server has announced a certificate change. If not, it is possible that a malicious third party is masquerading as the server you tried to reach.\n\nThe certificate can be marked as trusted in Page Information."
+
 msgid "error.temporary"
 msgstr "Temporary Failure"
 
diff --git a/res/lang/de.bin b/res/lang/de.bin
index cbcbad56..d13dd44c 100644
--- a/res/lang/de.bin
+++ b/res/lang/de.bin
diff --git a/res/lang/en.bin b/res/lang/en.bin
index 48f2695e..e8b50a07 100644
--- a/res/lang/en.bin
+++ b/res/lang/en.bin
diff --git a/res/lang/es.bin b/res/lang/es.bin
index c49f9a1b..7c3697c4 100644
--- a/res/lang/es.bin
+++ b/res/lang/es.bin
diff --git a/res/lang/fi.bin b/res/lang/fi.bin
index ff2ca5cd..86accba7 100644
--- a/res/lang/fi.bin
+++ b/res/lang/fi.bin
diff --git a/res/lang/fr.bin b/res/lang/fr.bin
index 0d5cfc55..a7d25794 100644
--- a/res/lang/fr.bin
+++ b/res/lang/fr.bin
diff --git a/res/lang/ia.bin b/res/lang/ia.bin
index b4016d13..44daa5a1 100644
--- a/res/lang/ia.bin
+++ b/res/lang/ia.bin
diff --git a/res/lang/ie.bin b/res/lang/ie.bin
index ead591e7..932f37a1 100644
--- a/res/lang/ie.bin
+++ b/res/lang/ie.bin
diff --git a/res/lang/pl.bin b/res/lang/pl.bin
index f220a34e..ca5814ad 100644
--- a/res/lang/pl.bin
+++ b/res/lang/pl.bin
diff --git a/res/lang/ru.bin b/res/lang/ru.bin
index 8c0431a5..a5396cff 100644
--- a/res/lang/ru.bin
+++ b/res/lang/ru.bin
diff --git a/res/lang/sr.bin b/res/lang/sr.bin
index 5c4174cc..efc74ced 100644
--- a/res/lang/sr.bin
+++ b/res/lang/sr.bin
diff --git a/res/lang/tok.bin b/res/lang/tok.bin
index 8df467ef..2b7fda91 100644
--- a/res/lang/tok.bin
+++ b/res/lang/tok.bin
diff --git a/res/lang/zh_Hans.bin b/res/lang/zh_Hans.bin
index 3874b28a..7664ecd5 100644
--- a/res/lang/zh_Hans.bin
+++ b/res/lang/zh_Hans.bin
diff --git a/res/lang/zh_Hant.bin b/res/lang/zh_Hant.bin
index e5feb691..b68bba0d 100644
--- a/res/lang/zh_Hant.bin
+++ b/res/lang/zh_Hant.bin
diff --git a/src/gmcerts.c b/src/gmcerts.c
index 4b84aa05..32e47b40 100644
--- a/src/gmcerts.c
+++ b/src/gmcerts.c
@@ -23,6 +23,7 @@ SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. */
 #include "gmcerts.h"
 #include "gmutil.h"
 #include "defs.h"
+#include "app.h"
 
 #include <the_Foundation/file.h>
 #include <the_Foundation/fileinfo.h>
@@ -35,7 +36,7 @@ SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. */
 #include <the_Foundation/time.h>
 #include <ctype.h>
 
-static const char *filename_GmCerts_          = "trusted.txt";
+static const char *filename_GmCerts_          = "trusted.2.txt";
 static const char *identsDir_GmCerts_         = "idents";
 static const char *oldIdentsFilename_GmCerts_ = "idents.binary";
 static const char *identsFilename_GmCerts_    = "idents.lgr";
@@ -337,7 +338,7 @@ static void load_GmCerts_(iGmCerts *d) {
             iRegExpMatch m;
             init_RegExpMatch(&m);
             if (matchRange_RegExp(pattern, line, &m)) {
-                const iRangecc domain = capturedRange_RegExpMatch(&m, 1);
+                const iRangecc key    = capturedRange_RegExpMatch(&m, 1);
                 const iRangecc until  = capturedRange_RegExpMatch(&m, 2);
                 const iRangecc fp     = capturedRange_RegExpMatch(&m, 3);
                 time_t sec;
@@ -345,7 +346,7 @@ static void load_GmCerts_(iGmCerts *d) {
                 iDate untilDate;
                 initSinceEpoch_Date(&untilDate, sec);
                 insert_StringHash(d->trusted,
-                                  collect_String(newRange_String(domain)),
+                                  collect_String(newRange_String(key)),
                                   new_TrustEntry(collect_Block(hexDecode_Rangecc(fp)),
                                                  &untilDate));
             }
@@ -376,15 +377,35 @@ static void load_GmCerts_(iGmCerts *d) {
     }
 }
 
+iBool verify_GmCerts_(iTlsRequest *request, const iTlsCertificate *cert, int depth) {
+    iGmCerts *d = certs_App();
+    if (depth != 0) {
+        /* We only check the primary certificate. */
+        return iTrue;
+    }
+    const iAddress *address = address_TlsRequest(request);
+    iRangecc        domain  = range_String(hostName_Address(address));
+    uint16_t        port    = port_Address(address);
+#if 0
+    printf("[verify_GmCerts_] peer: %s\n", cstrCollect_String(toString_Address(address)));
+    printf("              hostname: %s\n", cstr_String(hostName_Address(address)));
+    printf("                  port: %u\n", port_Address(address));
+    printf("          cert subject: %s\n", cstrCollect_String(subject_TlsCertificate(cert)));
+#endif
+    return checkTrust_GmCerts(d, domain, port, cert);
+}
+
 void init_GmCerts(iGmCerts *d, const char *saveDir) {
     d->mtx = new_Mutex();
     initCStr_String(&d->saveDir, saveDir);
     d->trusted = new_StringHash();
     init_PtrArray(&d->idents);
     load_GmCerts_(d);
+    setVerifyFunc_TlsRequest(verify_GmCerts_);
 }
 
 void deinit_GmCerts(iGmCerts *d) {
+    setVerifyFunc_TlsRequest(NULL);
     iGuardMutex(d->mtx, {
         saveIdentities_GmCerts(d);
         iForEach(PtrArray, i, &d->idents) {
@@ -426,6 +447,11 @@ iBool verifyDomain_GmCerts(const iTlsCertificate *cert, iRangecc domain) {
     return iFalse;
 }
 
+static void makeTrustKey_(iRangecc domain, uint16_t port, iString *key_out) {
+    punyEncodeDomain_Rangecc(domain, key_out);
+    appendFormat_String(key_out, ";%u", port ? port : GEMINI_DEFAULT_PORT);    
+}
+
 iBool checkTrust_GmCerts(iGmCerts *d, iRangecc domain, uint16_t port, const iTlsCertificate *cert) {
     if (!cert) {
         return iFalse;
@@ -434,30 +460,30 @@ iBool checkTrust_GmCerts(iGmCerts *d, iRangecc domain, uint16_t port, const iTls
         return iFalse;
     }
     /* We trust CA verification implicitly. */
-    const iBool isAuth = verify_TlsCertificate(cert) == authority_TlsCertificateVerifyStatus;
-    if (!isAuth && !verifyDomain_GmCerts(cert, domain)) {
+    //const iBool isAuth = verify_TlsCertificate(cert) == authority_TlsCertificateVerifyStatus;
+//    const iBool isAuth = iFalse; /* CA verification done during handshake */
+    if (/*!isAuth &&*/ !verifyDomain_GmCerts(cert, domain)) {
         return iFalse;
     }
     /* TODO: Could call setTrusted_GmCerts() instead of duplicating the trust-setting. */
     /* Good certificate. If not already trusted, add it now. */
-    iString *key = newRange_String(domain);
-    if (port && port != GEMINI_DEFAULT_PORT) {
-        appendFormat_String(key, ":%u", port);
-    }
     iDate until;
     validUntil_TlsCertificate(cert, &until);
-    iBlock *fingerprint = fingerprint_TlsCertificate(cert);
+    iBlock *fingerprint = publicKeyFingerprint_TlsCertificate(cert);
+    iString key;
+    init_String(&key);
+    makeTrustKey_(domain, port, &key);
     lock_Mutex(d->mtx);
-    iTrustEntry *trust = value_StringHash(d->trusted, key);
+    iTrustEntry *trust = value_StringHash(d->trusted, &key);
     if (trust) {
         /* We already have it, check if it matches the one we trust for this domain (if it's
            still valid. */
-        if (!isAuth && elapsedSeconds_Time(&trust->validUntil) < 0) {
+        if (/*!isAuth && */elapsedSeconds_Time(&trust->validUntil) < 0) {
             /* Trusted cert is still valid. */
             const iBool isTrusted = cmp_Block(fingerprint, &trust->fingerprint) == 0;
             unlock_Mutex(d->mtx);
             delete_Block(fingerprint);
-            delete_String(key);
+            deinit_String(&key);
             return isTrusted;
         }
         /* Update the trusted cert. */
@@ -465,50 +491,47 @@ iBool checkTrust_GmCerts(iGmCerts *d, iRangecc domain, uint16_t port, const iTls
         set_Block(&trust->fingerprint, fingerprint);
     }
     else {
-        insert_StringHash(d->trusted, key, iClob(new_TrustEntry(fingerprint, &until)));
+        insert_StringHash(d->trusted, &key, iClob(new_TrustEntry(fingerprint, &until)));
     }
     save_GmCerts_(d);
     unlock_Mutex(d->mtx);
     delete_Block(fingerprint);
-    delete_String(key);
+    deinit_String(&key);
     return iTrue;
 }
 
 void setTrusted_GmCerts(iGmCerts *d, iRangecc domain, uint16_t port, const iBlock *fingerprint,
                         const iDate *validUntil) {
-    iString *key = collectNew_String();
-    punyEncodeDomain_Rangecc(domain, key);
-    if (port && port != GEMINI_DEFAULT_PORT) {
-        appendFormat_String(key, ":%u", port);
-    }
+    iString key;
+    init_String(&key);
+    makeTrustKey_(domain, port, &key);
     lock_Mutex(d->mtx);
-    iTrustEntry *trust = value_StringHash(d->trusted, key);
+    iTrustEntry *trust = value_StringHash(d->trusted, &key);
     if (trust) {
         init_Time(&trust->validUntil, validUntil);
         set_Block(&trust->fingerprint, fingerprint);
     }
     else {
-        insert_StringHash(d->trusted, key, iClob(trust = new_TrustEntry(fingerprint, validUntil)));
+        insert_StringHash(d->trusted, &key, iClob(trust = new_TrustEntry(fingerprint, validUntil)));
     }
     save_GmCerts_(d);
     unlock_Mutex(d->mtx);
+    deinit_String(&key);
 }
 
 iTime domainValidUntil_GmCerts(const iGmCerts *d, iRangecc domain, uint16_t port) {
     iTime expiry;
     iZap(expiry);
-    lock_Mutex(d->mtx);
     iString key;
-    initRange_String(&key, domain);
-    if (port && port != GEMINI_DEFAULT_PORT) {
-        appendFormat_String(&key, ":%u", port);
-    }
+    init_String(&key);
+    makeTrustKey_(domain, port, &key);
+    lock_Mutex(d->mtx);
     const iTrustEntry *trust = constValue_StringHash(d->trusted, &key);
     if (trust) {
         expiry = trust->validUntil;
     }
-    deinit_String(&key);
     unlock_Mutex(d->mtx);
+    deinit_String(&key);
     return expiry;
 }
 
diff --git a/src/gmrequest.c b/src/gmrequest.c
index 8ae8f736..9b640cee 100644
--- a/src/gmrequest.c
+++ b/src/gmrequest.c
@@ -161,7 +161,7 @@ static void checkServerCertificate_GmRequest_(iGmRequest *d) {
     if (cert) {
         const iRangecc domain = range_String(hostName_Address(address_TlsRequest(d->req)));
         resp->certFlags |= available_GmCertFlag;
-        set_Block(&resp->certFingerprint, collect_Block(fingerprint_TlsCertificate(cert)));
+        set_Block(&resp->certFingerprint, collect_Block(publicKeyFingerprint_TlsCertificate(cert)));
         resp->certFlags |= haveFingerprint_GmCertFlag;
         if (!isExpired_TlsCertificate(cert)) {
             resp->certFlags |= timeVerified_GmCertFlag;
@@ -289,8 +289,14 @@ static void requestFinished_GmRequest_(iGmRequest *d, iTlsRequest *req) {
     d->state = (status_TlsRequest(req) == error_TlsRequestStatus ? failure_GmRequestState
                                                                  : finished_GmRequestState);
     if (d->state == failure_GmRequestState) {
-        d->resp->statusCode = tlsFailure_GmStatusCode;
-        set_String(&d->resp->meta, errorMessage_TlsRequest(req));
+        if (!isVerified_TlsRequest(req)) {
+            d->resp->statusCode = tlsServerCertificateNotVerified_GmStatusCode;
+            setCStr_String(&d->resp->meta, "Server certificate could not be verified");
+        }
+        else {
+            d->resp->statusCode = tlsFailure_GmStatusCode;
+            set_String(&d->resp->meta, errorMessage_TlsRequest(req));
+        }
     }
     checkServerCertificate_GmRequest_(d);
     unlock_Mutex(d->mtx);
diff --git a/src/gmutil.c b/src/gmutil.c
index d8f58a10..0ae0861c 100644
--- a/src/gmutil.c
+++ b/src/gmutil.c
@@ -682,6 +682,10 @@ static const struct {
       { 0x1f5a7, /* networked computers */
         "${error.tls}",
         "${error.tls.msg}" } },
+    { tlsServerCertificateNotVerified_GmStatusCode,
+      { 0x1f645,
+        "${error.certverify}",
+        "${error.certverify.msg}" } },
     { temporaryFailure_GmStatusCode,
       { 0x1f50c, /* electric plug */
         "${error.temporary}",
diff --git a/src/gmutil.h b/src/gmutil.h
index 40fa1cf9..1bf41775 100644
--- a/src/gmutil.h
+++ b/src/gmutil.h
@@ -43,6 +43,7 @@ enum iGmStatusCode {
     unknownStatusCode_GmStatusCode,
     invalidLocalResource_GmStatusCode,
     tlsFailure_GmStatusCode,
+    tlsServerCertificateNotVerified_GmStatusCode,
 
     none_GmStatusCode                      = 0,
     /* general status code categories */
diff --git a/src/ui/documentwidget.c b/src/ui/documentwidget.c
index 7e6c2ea4..4a4101b1 100644
--- a/src/ui/documentwidget.c
+++ b/src/ui/documentwidget.c
@@ -1135,6 +1135,16 @@ static void showErrorPage_DocumentWidget_(iDocumentWidget *d, enum iGmStatusCode
                 useBanner = iFalse; /* valid data wasn't received from host */
                 appendFormat_String(src, "\n\n>%s\n", cstr_String(meta));
                 break;
+                /* fall through */
+            case tlsServerCertificateNotVerified_GmStatusCode:
+                makeFooterButtons_DocumentWidget_(
+                    d,
+                    (iMenuItem[]){ { info_Icon " ${menu.pageinfo}",
+                                     SDLK_i,
+                                     KMOD_PRIMARY,
+                                     "document.info" } },
+                    1);
+                break;
             case failedToOpenFile_GmStatusCode:
             case certificateNotValid_GmStatusCode:
                 appendFormat_String(src, "\n\n%s", cstr_String(meta));
@@ -1143,10 +1153,6 @@ static void showErrorPage_DocumentWidget_(iDocumentWidget *d, enum iGmStatusCode
                 iString *key = collectNew_String();
                 toString_Sym(SDLK_s, KMOD_PRIMARY, key);
                 appendFormat_String(src, "\n```\n%s\n```\n", cstr_String(meta));
-//                appendFormat_String(src,
-//                                    cstr_Lang("error.unsupported.suggestsave"),
-//                                    cstr_String(key),
-//                                    saveToDownloads_Label);
                 makeFooterButtons_DocumentWidget_(
                     d,
                     (iMenuItem[]){ { translateCStr_Lang(download_Icon " " saveToDownloads_Label),
@@ -1565,7 +1571,8 @@ static void updateTrust_DocumentWidget_(iDocumentWidget *d, const iGmResponse *r
     }
     setFlags_Widget(as_Widget(lock), disabled_WidgetFlag, iFalse);
     const iBool isDarkMode = isDark_ColorTheme(colorTheme_App());
-    if (~d->certFlags & domainVerified_GmCertFlag) {
+    if (~d->certFlags & domainVerified_GmCertFlag ||
+        ~d->certFlags & trusted_GmCertFlag) {
         updateTextCStr_LabelWidget(lock, red_ColorEscape warning_Icon);
     }
     else if (d->certFlags & trusted_GmCertFlag) {
@@ -2592,8 +2599,11 @@ static iBool handleCommand_DocumentWidget_(iDocumentWidget *d, const char *cmd)
         setFocus_Widget(NULL);
         iArray *items = new_Array(sizeof(iMenuItem));
         if (canTrust) {
-            pushBack_Array(
-                items, &(iMenuItem){ uiTextCaution_ColorEscape "${dlg.cert.trust}", 0, 0, "server.trustcert" });
+            pushBack_Array(items,
+                           &(iMenuItem){ uiTextCaution_ColorEscape "${dlg.cert.trust}",
+                                         SDLK_u,
+                                         KMOD_PRIMARY | KMOD_SHIFT,
+                                         "server.trustcert" });
         }
         if (haveFingerprint) {
             pushBack_Array(items, &(iMenuItem){ "${dlg.cert.fingerprint}", 0, 0, "server.copycert" });
@@ -2627,11 +2637,7 @@ static iBool handleCommand_DocumentWidget_(iDocumentWidget *d, const char *cmd)
         if (!isEmpty_Block(d->certFingerprint) && !isEmpty_Range(&host)) {
             setTrusted_GmCerts(certs_App(), host, port, d->certFingerprint, &d->certExpiry);
             d->certFlags |= trusted_GmCertFlag;
-            postCommand_Widget(w, "document.info");
-            updateTrust_DocumentWidget_(d, NULL);
-            redoLayout_GmDocument(d->doc);
-            invalidate_DocumentWidget_(d);
-            refresh_Widget(d);
+            postCommand_Widget(w, "navigate.reload");
         }
         return iTrue;
     }