9 files changed, 226 insertions, 0 deletions

diff --git a/Makefile.am b/Makefile.am
index 19374f2c..cfeb4f7d 100644
--- a/Makefile.am
+++ b/Makefile.am
@@ -61,6 +61,7 @@ core_sources = \
 	src/config/theme.c src/config/theme.h \
 	src/config/color.c src/config/color.h \
 	src/config/scripts.c src/config/scripts.h \
+	src/config/cafile.c src/config/cafile.h \
 	src/plugins/plugins.h src/plugins/plugins.c \
 	src/plugins/api.h src/plugins/api.c \
 	src/plugins/callbacks.h src/plugins/callbacks.c \
@@ -124,6 +125,7 @@ unittest_sources = \
 	tests/unittests/log/stub_log.c \
 	tests/unittests/database/stub_database.c \
 	tests/unittests/config/stub_accounts.c \
+	tests/unittests/config/stub_cafile.c \
 	tests/unittests/tools/stub_http_upload.c \
 	tests/unittests/tools/stub_http_download.c \
 	tests/unittests/tools/stub_aesgcm_download.c \
diff --git a/src/command/cmd_funcs.c b/src/command/cmd_funcs.c
index b1aadbf0..b061f9bf 100644
--- a/src/command/cmd_funcs.c
+++ b/src/command/cmd_funcs.c
@@ -67,6 +67,7 @@
 #include "config/files.h"
 #include "config/accounts.h"
 #include "config/account.h"
+#include "config/cafile.h"
 #include "config/preferences.h"
 #include "config/theme.h"
 #include "config/tlscerts.h"
@@ -231,6 +232,7 @@ cmd_tls_trust(ProfWin* window, const char* const command, gchar** args)
         cons_show("Error getting TLS certificate.");
         return TRUE;
     }
+    cafile_add(cert);
     if (tlscerts_exists(cert->fingerprint)) {
         cons_show("Certificate %s already trusted.", cert->fingerprint);
         tlscerts_free(cert);
diff --git a/src/config/cafile.c b/src/config/cafile.c
new file mode 100644
index 00000000..4ac832bf
--- /dev/null
+++ b/src/config/cafile.c
@@ -0,0 +1,106 @@
+/*
+ * cafile.c
+ * vim: expandtab:ts=4:sts=4:sw=4
+ *
+ * Copyright (C) 2022 Steffen Jaeckel <jaeckel-floss@eyet-services.de>
+ *
+ * This file is part of Profanity.
+ *
+ * Profanity is free software: you can redistribute it and/or modify
+ * it under the terms of the GNU General Public License as published by
+ * the Free Software Foundation, either version 3 of the License, or
+ * (at your option) any later version.
+ *
+ * Profanity is distributed in the hope that it will be useful,
+ * but WITHOUT ANY WARRANTY; without even the implied warranty of
+ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+ * GNU General Public License for more details.
+ *
+ * You should have received a copy of the GNU General Public License
+ * along with Profanity.  If not, see <https://www.gnu.org/licenses/>.
+ *
+ * In addition, as a special exception, the copyright holders give permission to
+ * link the code of portions of this program with the OpenSSL library under
+ * certain conditions as described in each individual source file, and
+ * distribute linked combinations including the two.
+ *
+ * You must obey the GNU General Public License in all respects for all of the
+ * code used other than OpenSSL. If you modify file(s) with this exception, you
+ * may extend this exception to your version of the file(s), but you are not
+ * obligated to do so. If you do not wish to do so, delete this exception
+ * statement from your version. If you delete this exception statement from all
+ * source files in the program, then also delete it here.
+ *
+ */
+
+#include <fcntl.h>
+#include <glib.h>
+#include <errno.h>
+#include <string.h>
+#include <sys/wait.h>
+
+#include "common.h"
+#include "config/files.h"
+#include "log.h"
+
+static gchar*
+_cafile_name(void)
+{
+    gchar* certs_dir = files_get_data_path(DIR_CERTS);
+    if (!create_dir(certs_dir)) {
+        g_free(certs_dir);
+        return NULL;
+    }
+    gchar* filename = g_strdup_printf("%s/CAfile.pem", certs_dir);
+    g_free(certs_dir);
+    return filename;
+}
+
+void
+cafile_add(const TLSCertificate* cert)
+{
+    if (!cert->pem) {
+        log_error("[CAfile] can't store cert with fingerprint %s: PEM is empty", cert->fingerprint);
+        return;
+    }
+    gchar* cafile = _cafile_name();
+    if (!cafile)
+        return;
+    gchar *contents = NULL, *new_contents = NULL;
+    gsize length;
+    GError* glib_error = NULL;
+    if (g_file_test(cafile, G_FILE_TEST_EXISTS)) {
+        if (!g_file_get_contents(cafile, &contents, &length, &glib_error)) {
+            log_error("[CAfile] could not read from %s: %s", cafile, glib_error ? glib_error->message : "No GLib error given");
+            goto out;
+        }
+        if (strstr(contents, cert->fingerprint)) {
+            log_debug("[CAfile] fingerprint %s already stored", cert->fingerprint);
+            goto out;
+        }
+    }
+    const char* header = "# Profanity CAfile\n# DO NOT EDIT - this file is automatically generated";
+    new_contents = g_strdup_printf("%s\n\n# %s\n%s", contents ? contents : header, cert->fingerprint, cert->pem);
+    if (!g_file_set_contents(cafile, new_contents, -1, &glib_error))
+        log_error("[CAfile] could not write to %s: %s", cafile, glib_error ? glib_error->message : "No GLib error given");
+out:
+    g_free(new_contents);
+    g_free(contents);
+    g_free(cafile);
+}
+
+gchar*
+cafile_get_name(void)
+{
+    gchar* cafile = _cafile_name();
+    if (!g_file_test(cafile, G_FILE_TEST_EXISTS)) {
+        /* That's no problem!
+         * There's no need to have a profanity-specific CAfile if all CA's
+         * of servers you're trying to connect to are in your OS trust-store
+         */
+        log_debug("[CAfile] file %s not created yet", cafile);
+        g_free(cafile);
+        cafile = NULL;
+    }
+    return cafile;
+}
diff --git a/src/config/cafile.h b/src/config/cafile.h
new file mode 100644
index 00000000..2655d686
--- /dev/null
+++ b/src/config/cafile.h
@@ -0,0 +1,45 @@
+/*
+ * cafile.h
+ * vim: expandtab:ts=4:sts=4:sw=4
+ *
+ * Copyright (C) 2022 Steffen Jaeckel <jaeckel-floss@eyet-services.de>
+ *
+ * This file is part of Profanity.
+ *
+ * Profanity is free software: you can redistribute it and/or modify
+ * it under the terms of the GNU General Public License as published by
+ * the Free Software Foundation, either version 3 of the License, or
+ * (at your option) any later version.
+ *
+ * Profanity is distributed in the hope that it will be useful,
+ * but WITHOUT ANY WARRANTY; without even the implied warranty of
+ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+ * GNU General Public License for more details.
+ *
+ * You should have received a copy of the GNU General Public License
+ * along with Profanity.  If not, see <https://www.gnu.org/licenses/>.
+ *
+ * In addition, as a special exception, the copyright holders give permission to
+ * link the code of portions of this program with the OpenSSL library under
+ * certain conditions as described in each individual source file, and
+ * distribute linked combinations including the two.
+ *
+ * You must obey the GNU General Public License in all respects for all of the
+ * code used other than OpenSSL. If you modify file(s) with this exception, you
+ * may extend this exception to your version of the file(s), but you are not
+ * obligated to do so. If you do not wish to do so, delete this exception
+ * statement from your version. If you delete this exception statement from all
+ * source files in the program, then also delete it here.
+ *
+ */
+
+#ifndef CONFIG_CAFILE_H
+#define CONFIG_CAFILE_H
+
+#include <glib.h>
+#include "tlscerts.h"
+
+void cafile_add(const TLSCertificate* cert);
+gchar* cafile_get_name(void);
+
+#endif
diff --git a/src/config/files.h b/src/config/files.h
index c0000ce1..39e569ea 100644
--- a/src/config/files.h
+++ b/src/config/files.h
@@ -59,6 +59,7 @@
 #define DIR_DATABASE  "database"
 #define DIR_DOWNLOADS "downloads"
 #define DIR_EDITOR    "editor"
+#define DIR_CERTS     "certs"
 
 void files_create_directories(void);
 
diff --git a/src/event/server_events.c b/src/event/server_events.c
index 5963c96b..4a35302f 100644
--- a/src/event/server_events.c
+++ b/src/event/server_events.c
@@ -47,6 +47,7 @@
 #include "config/preferences.h"
 #include "config/tlscerts.h"
 #include "config/account.h"
+#include "config/cafile.h"
 #include "config/scripts.h"
 #include "event/client_events.h"
 #include "event/common.h"
@@ -1138,6 +1139,7 @@ sv_ev_certfail(const char* const errormsg, const TLSCertificate* cert)
 {
     // check profanity trusted certs
     if (tlscerts_exists(cert->fingerprint)) {
+        cafile_add(cert);
         return 1;
     }
 
@@ -1181,6 +1183,7 @@ sv_ev_certfail(const char* const errormsg, const TLSCertificate* cert)
         cons_show("Adding %s to trusted certificates.", cert->fingerprint);
         if (!tlscerts_exists(cert->fingerprint)) {
             tlscerts_add(cert);
+            cafile_add(cert);
         }
         free(cmd);
         return 1;
diff --git a/src/tools/http_download.c b/src/tools/http_download.c
index d4df5f6b..cd2a7553 100644
--- a/src/tools/http_download.c
+++ b/src/tools/http_download.c
@@ -50,6 +50,7 @@
 #include "profanity.h"
 #include "event/client_events.h"
 #include "tools/http_download.h"
+#include "config/cafile.h"
 #include "config/preferences.h"
 #include "ui/ui.h"
 #include "ui/window.h"
@@ -125,6 +126,7 @@ http_file_get(void* userdata)
     }
 
     char* cert_path = prefs_get_string(PREF_TLS_CERTPATH);
+    gchar* cafile = cafile_get_name();
     pthread_mutex_unlock(&lock);
 
     curl_global_init(CURL_GLOBAL_ALL);
@@ -145,6 +147,9 @@ http_file_get(void* userdata)
 
     curl_easy_setopt(curl, CURLOPT_USERAGENT, "profanity");
 
+    if (cafile) {
+        curl_easy_setopt(curl, CURLOPT_CAINFO, cafile);
+    }
     if (cert_path) {
         curl_easy_setopt(curl, CURLOPT_CAPATH, cert_path);
     }
@@ -161,6 +166,7 @@ http_file_get(void* userdata)
     }
 
     pthread_mutex_lock(&lock);
+    g_free(cafile);
     g_free(cert_path);
     if (err) {
         if (download->cancel) {
diff --git a/src/tools/http_upload.c b/src/tools/http_upload.c
index d1360b46..ca336c9b 100644
--- a/src/tools/http_upload.c
+++ b/src/tools/http_upload.c
@@ -48,6 +48,7 @@
 #include "profanity.h"
 #include "event/client_events.h"
 #include "tools/http_upload.h"
+#include "config/cafile.h"
 #include "config/preferences.h"
 #include "ui/ui.h"
 #include "ui/window.h"
@@ -184,6 +185,7 @@ http_file_put(void* userdata)
     g_free(msg);
 
     char* cert_path = prefs_get_string(PREF_TLS_CERTPATH);
+    gchar* cafile = cafile_get_name();
     pthread_mutex_unlock(&lock);
 
     curl_global_init(CURL_GLOBAL_ALL);
@@ -244,6 +246,9 @@ http_file_put(void* userdata)
 
     fh = upload->filehandle;
 
+    if (cafile) {
+        curl_easy_setopt(curl, CURLOPT_CAINFO, cafile);
+    }
     if (cert_path) {
         curl_easy_setopt(curl, CURLOPT_CAPATH, cert_path);
     }
@@ -288,6 +293,7 @@ http_file_put(void* userdata)
     g_free(expires_header);
 
     pthread_mutex_lock(&lock);
+    g_free(cafile);
     g_free(cert_path);
 
     if (err) {
diff --git a/tests/unittests/config/stub_cafile.c b/tests/unittests/config/stub_cafile.c
new file mode 100644
index 00000000..ea31de11
--- /dev/null
+++ b/tests/unittests/config/stub_cafile.c
@@ -0,0 +1,55 @@
+/*
+ * stub_cafile.c
+ * vim: expandtab:ts=4:sts=4:sw=4
+ *
+ * Copyright (C) 2022 Steffen Jaeckel <jaeckel-floss@eyet-services.de>
+ *
+ * This file is part of Profanity.
+ *
+ * Profanity is free software: you can redistribute it and/or modify
+ * it under the terms of the GNU General Public License as published by
+ * the Free Software Foundation, either version 3 of the License, or
+ * (at your option) any later version.
+ *
+ * Profanity is distributed in the hope that it will be useful,
+ * but WITHOUT ANY WARRANTY; without even the implied warranty of
+ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+ * GNU General Public License for more details.
+ *
+ * You should have received a copy of the GNU General Public License
+ * along with Profanity.  If not, see <https://www.gnu.org/licenses/>.
+ *
+ * In addition, as a special exception, the copyright holders give permission to
+ * link the code of portions of this program with the OpenSSL library under
+ * certain conditions as described in each individual source file, and
+ * distribute linked combinations including the two.
+ *
+ * You must obey the GNU General Public License in all respects for all of the
+ * code used other than OpenSSL. If you modify file(s) with this exception, you
+ * may extend this exception to your version of the file(s), but you are not
+ * obligated to do so. If you do not wish to do so, delete this exception
+ * statement from your version. If you delete this exception statement from all
+ * source files in the program, then also delete it here.
+ *
+ */
+
+#include <fcntl.h>
+#include <glib.h>
+#include <errno.h>
+#include <string.h>
+#include <sys/wait.h>
+
+#include "common.h"
+#include "config/files.h"
+#include "log.h"
+
+void
+cafile_add(const TLSCertificate* cert)
+{
+}
+
+gchar*
+cafile_get_name(void)
+{
+    return NULL;
+}