Replace setting tls_fingerprint with ca_bundle

5 files changed, 13 insertions, 16 deletions

diff --git a/contrib/config-example b/contrib/config-example
index b1648fd..899ee39 100644
--- a/contrib/config-example
+++ b/contrib/config-example
@@ -48,6 +48,7 @@
 #love_icon = [+]
 #ban_icon = [-]
 #volume = 0
+#ca_bundle = /etc/ssl/certs/ca-certificates.crt
 
 # Format strings
 #format_nowplaying_song = %t by %a on %l%r%@%s
@@ -62,5 +63,4 @@
 #device = D01
 #encrypt_password = 2%3WCL*JU$MP]4
 #decrypt_password = U#IO$RZPAB%VX2
-#tls_fingerprint = B0A1EB460B1B6F33A1B6CB500C6523CB2E6EC946
 
diff --git a/contrib/pianobar.1 b/contrib/pianobar.1
index 8a311a5..e337ea2 100644
--- a/contrib/pianobar.1
+++ b/contrib/pianobar.1
@@ -196,6 +196,11 @@ or the key you defined in
 Icon for banned songs.
 
 .TP
+.B ca_bundle
+Path to CA certifiate bundle, containing the root and intermediate certificates
+required to validate Pandora’s SSL certificate.
+
+.TP
 .B control_proxy = http://user:password@host:port/
 Non-american users need a proxy to use pandora.com. Only the xmlrpc interface
 will use this proxy. The music is streamed directly.
diff --git a/src/settings.c b/src/settings.c
index 6ee9df2..37928a9 100644
--- a/src/settings.c
+++ b/src/settings.c
@@ -177,9 +177,6 @@ void BarSettingsRead (BarSettings_t *settings) {
 	settings->outkey = strdup ("6#26FRL$ZWD");
 	settings->fifo = BarGetXdgConfigDir (PACKAGE "/ctl");
 	assert (settings->fifo != NULL);
-	memcpy (settings->tlsFingerprint, "\x2D\x0A\xFD\xAF\xA1\x6F\x4B\x5C\x0A"
-			"\x43\xF3\xCB\x1D\x47\x52\xF9\x53\x55\x07\xC0",
-			sizeof (settings->tlsFingerprint));
 
 	settings->msgFormat[MSG_NONE].prefix = NULL;
 	settings->msgFormat[MSG_NONE].postfix = NULL;
@@ -253,6 +250,9 @@ void BarSettingsRead (BarSettings_t *settings) {
 			} else if (streq ("decrypt_password", key)) {
 				free (settings->inkey);
 				settings->inkey = strdup (val);
+			} else if (streq ("ca_bundle", key)) {
+				free (settings->caBundle);
+				settings->caBundle = strdup (val);
 			} else if (memcmp ("act_", key, 4) == 0) {
 				size_t i;
 				/* keyboard shortcuts */
@@ -323,16 +323,6 @@ void BarSettingsRead (BarSettings_t *settings) {
 				settings->fifo = BarSettingsExpandTilde (val, userhome);
 			} else if (streq ("autoselect", key)) {
 				settings->autoselect = atoi (val);
-			} else if (streq ("tls_fingerprint", key)) {
-				/* expects 40 byte hex-encoded sha1 */
-				if (strlen (val) == 40) {
-					for (size_t i = 0; i < 20; i++) {
-						char hex[3];
-						memcpy (hex, &val[i*2], 2);
-						hex[2] = '\0';
-						settings->tlsFingerprint[i] = strtol (hex, NULL, 16);
-					}
-				}
 			} else if (strncmp (formatMsgPrefix, key,
 					strlen (formatMsgPrefix)) == 0) {
 				static const char *mapping[] = {"none", "info", "nowplaying",
diff --git a/src/settings.h b/src/settings.h
index ae22111..0ce5611 100644
--- a/src/settings.h
+++ b/src/settings.h
@@ -101,8 +101,7 @@ typedef struct {
 	char *npStationFormat;
 	char *listSongFormat;
 	char *fifo;
-	char *rpcHost, *rpcTlsPort, *partnerUser, *partnerPassword, *device, *inkey, *outkey;
-	char tlsFingerprint[20];
+	char *rpcHost, *rpcTlsPort, *partnerUser, *partnerPassword, *device, *inkey, *outkey, *caBundle;
 	char keys[BAR_KS_COUNT];
 	BarMsgFormatStr_t msgFormat[MSG_COUNT];
 } BarSettings_t;
diff --git a/src/ui.c b/src/ui.c
index 5dd5d79..91eb005 100644
--- a/src/ui.c
+++ b/src/ui.c
@@ -186,6 +186,9 @@ static CURLcode BarPianoHttpRequest (CURL * const http,
 	setAndCheck (CURLOPT_WRITEDATA, &buffer);
 	setAndCheck (CURLOPT_POST, 1);
 	setAndCheck (CURLOPT_TIMEOUT, 30);
+	if (settings->caBundle != NULL) {
+		setAndCheck (CURLOPT_CAINFO, settings->caBundle);
+	}
 
 	/* set up proxy (control proxy for non-us citizen or global proxy for poor
 	 * firewalled fellows) */