diff options
author | Kevin McCarthy <kevin@8t8.us> | 2017-03-13 18:38:23 -0700 |
---|---|---|
committer | Kevin McCarthy <kevin@8t8.us> | 2017-03-13 18:38:23 -0700 |
commit | d9f98ef5b4f150e9e6259d85277269932422fbc2 (patch) | |
tree | 0f41ec5e045c3c3b109db9101107bc4e98cf66e0 /mutt_ssl.c | |
parent | f548aae21dbd849b4c9650bed5865df5ad446d1d (diff) |
Change OpenSSL to use SHA-256 for cert comparison. (closes #3924)
Note the GnuTLS code compares the certs directly to check if they are
in the certfile.
Diffstat (limited to 'mutt_ssl.c')
-rw-r--r-- | mutt_ssl.c | 8 |
1 files changed, 4 insertions, 4 deletions
@@ -771,7 +771,7 @@ static int compare_certificates (X509 *cert, X509 *peercert, X509_issuer_name_cmp (cert, peercert) != 0) return -1; - if (!X509_digest (cert, EVP_sha1(), md, &mdlen) || peermdlen != mdlen) + if (!X509_digest (cert, EVP_sha256(), md, &mdlen) || peermdlen != mdlen) return -1; if (memcmp(peermd, md, mdlen) != 0) @@ -787,7 +787,7 @@ static int check_certificate_cache (X509 *peercert) X509 *cert; int i; - if (!X509_digest (peercert, EVP_sha1(), peermd, &peermdlen) + if (!X509_digest (peercert, EVP_sha256(), peermd, &peermdlen) || !SslSessionCerts) { return 0; @@ -848,7 +848,7 @@ static int check_certificate_file (X509 *peercert) if ((fp = fopen (SslCertFile, "rt")) == NULL) return 0; - if (!X509_digest (peercert, EVP_sha1(), peermd, &peermdlen)) + if (!X509_digest (peercert, EVP_sha256(), peermd, &peermdlen)) { safe_fclose (&fp); return 0; @@ -1083,7 +1083,7 @@ static int ssl_verify_callback (int preverify_ok, X509_STORE_CTX *ctx) { if (skip_mode && preverify_ok && (pos == last_pos) && last_cert) { - if (X509_digest (last_cert, EVP_sha1(), last_cert_md, &last_cert_mdlen) && + if (X509_digest (last_cert, EVP_sha256(), last_cert_md, &last_cert_mdlen) && !compare_certificates (cert, last_cert, last_cert_md, last_cert_mdlen)) { dprint (2, (debugfile, |