From 95b2a8e6a60be3c77f1e5473a0c6b2a8b1eecf18 Mon Sep 17 00:00:00 2001 From: link2xt Date: Fri, 16 Aug 2024 22:14:00 +0000 Subject: [PATCH] fix: separate entered and configured certificate checks --- deltachat-ffi/deltachat.h | 2 +- .../src/deltachat_rpc_client/const.py | 2 +- node/constants.js | 2 +- node/lib/constants.ts | 2 +- src/login_param.rs | 70 +++++++++++++------ 5 files changed, 54 insertions(+), 24 deletions(-) diff --git a/deltachat-ffi/deltachat.h b/deltachat-ffi/deltachat.h index a2ea9da14..19db8369d 100644 --- a/deltachat-ffi/deltachat.h +++ b/deltachat-ffi/deltachat.h @@ -5712,7 +5712,7 @@ int64_t dc_lot_get_timestamp (const dc_lot_t* lot); * Accept invalid certificates, including self-signed ones * or having incorrect hostname. */ -#define DC_CERTCK_ACCEPT_INVALID_CERTIFICATES 3 +#define DC_CERTCK_ACCEPT_INVALID_CERTIFICATES 2 /** * @} diff --git a/deltachat-rpc-client/src/deltachat_rpc_client/const.py b/deltachat-rpc-client/src/deltachat_rpc_client/const.py index 902feb70b..a8a7c8573 100644 --- a/deltachat-rpc-client/src/deltachat_rpc_client/const.py +++ b/deltachat-rpc-client/src/deltachat_rpc_client/const.py @@ -165,7 +165,7 @@ class CertificateChecks(IntEnum): AUTOMATIC = 0 STRICT = 1 - ACCEPT_INVALID_CERTIFICATES = 3 + ACCEPT_INVALID_CERTIFICATES = 2 class Connectivity(IntEnum): diff --git a/node/constants.js b/node/constants.js index 2319631b2..9932c5341 100644 --- a/node/constants.js +++ b/node/constants.js @@ -1,7 +1,7 @@ // Generated! module.exports = { - DC_CERTCK_ACCEPT_INVALID_CERTIFICATES: 3, + DC_CERTCK_ACCEPT_INVALID_CERTIFICATES: 2, DC_CERTCK_AUTO: 0, DC_CERTCK_STRICT: 1, DC_CHAT_ID_ALLDONE_HINT: 7, diff --git a/node/lib/constants.ts b/node/lib/constants.ts index 3c611720e..252a52cbf 100644 --- a/node/lib/constants.ts +++ b/node/lib/constants.ts @@ -1,7 +1,7 @@ // Generated! export enum C { - DC_CERTCK_ACCEPT_INVALID_CERTIFICATES = 3, + DC_CERTCK_ACCEPT_INVALID_CERTIFICATES = 2, DC_CERTCK_AUTO = 0, DC_CERTCK_STRICT = 1, DC_CHAT_ID_ALLDONE_HINT = 7, diff --git a/src/login_param.rs b/src/login_param.rs index a35f4ee00..c626ac8b9 100644 --- a/src/login_param.rs +++ b/src/login_param.rs @@ -10,36 +10,66 @@ use crate::provider::Socket; use crate::provider::{get_provider_by_id, Provider}; use crate::socks::Socks5Config; +/// User entered setting for certificate checks. +/// +/// Should be saved into `imap_certificate_checks` before running configuration. #[derive(Copy, Clone, Debug, Default, Display, FromPrimitive, ToPrimitive, PartialEq, Eq)] #[repr(u32)] #[strum(serialize_all = "snake_case")] -pub enum CertificateChecks { - /// Same as AcceptInvalidCertificates if stored in the database - /// as `configured_{imap,smtp}_certificate_checks`. - /// - /// Previous Delta Chat versions stored this in `configured_*` - /// if Automatic configuration - /// was selected, configuration with strict TLS checks failed - /// and configuration without strict TLS checks succeeded. - /// - /// Currently Delta Chat stores only - /// `Strict` or `AcceptInvalidCertificates` variants - /// in `configured_*` settings. - /// - /// `Automatic` in `{imap,smtp}_certificate_checks` - /// means that provider database setting should be taken. +pub enum EnteredCertificateChecks { + /// `Automatic` means that provider database setting should be taken. /// If there is no provider database setting for certificate checks, - /// `Automatic` is the same as `Strict`. + /// check certificates strictly. #[default] Automatic = 0, + /// Ensure that TLS certificate is valid for the server hostname. Strict = 1, - /// Same as AcceptInvalidCertificates - /// Previously known as AcceptInvalidHostnames, now deprecated. - AcceptInvalidCertificates2 = 2, + /// Accept certificates that are expired, self-signed + /// or otherwise not valid for the server hostname. + AcceptInvalidCertificates = 2, - AcceptInvalidCertificates = 3, + /// Alias for `AcceptInvalidCertificates` + /// for API compatibility. + AcceptInvalidCertificates2 = 3, +} + +/// Values saved into `imap_certificate_checks`. +#[derive(Copy, Clone, Debug, Default, Display, FromPrimitive, ToPrimitive, PartialEq, Eq)] +#[repr(u32)] +#[strum(serialize_all = "snake_case")] +pub enum ConfiguredCertificateChecks { + /// Use configuration from the provider database. + /// If there is no provider database setting for certificate checks, + /// accept invalid certificates. + /// + /// Must not be saved by new versions. + /// + /// Previous Delta Chat versions before core 1.133.0 + /// stored this in `configured_imap_certificate_checks` + /// if Automatic configuration + /// was selected, configuration with strict TLS checks failed + /// and configuration without strict TLS checks succeeded. + OldAutomatic = 0, + + /// Ensure that TLS certificate is valid for the server hostname. + Strict = 1, + + /// Accept certificates that are expired, self-signed + /// or otherwise not valid for the server hostname. + AcceptInvalidCertificates = 2, + + /// Accept certificates that are expired, self-signed + /// or otherwise not valid for the server hostname. + /// + /// Alias to `AcceptInvalidCertificates` for compatibility. + AcceptInvalidCertificates2 = 3, + + /// Use configuration from the provider database. + /// If there is no provider database setting for certificate checks, + /// apply strict checks to TLS certificates. + Automatic = 4, } /// Login parameters for a single server, either IMAP or SMTP