changeset: 6969:23c00b71f653
user: Kevin McCarthy <ke...@8t8.us>
date: Mon Mar 13 18:38:23 2017 -0700
link: http://dev.mutt.org/hg/mutt/rev/23c00b71f653
Change OpenSSL to use SHA-256 for cert comparison. (closes #3924)
Note the GnuTLS code compares the certs directly to check if they are
in the certfile.
diffs (39 lines):
diff -r 00cef7557f38 -r 23c00b71f653 mutt_ssl.c
--- a/mutt_ssl.c Mon Mar 13 01:38:44 2017 +0100
+++ b/mutt_ssl.c Mon Mar 13 18:38:23 2017 -0700
@@ -771,7 +771,7 @@
X509_issuer_name_cmp (cert, peercert) != 0)
return -1;
- if (!X509_digest (cert, EVP_sha1(), md, &mdlen) || peermdlen != mdlen)
+ if (!X509_digest (cert, EVP_sha256(), md, &mdlen) || peermdlen != mdlen)
return -1;
if (memcmp(peermd, md, mdlen) != 0)
@@ -787,7 +787,7 @@
X509 *cert;
int i;
- if (!X509_digest (peercert, EVP_sha1(), peermd, &peermdlen)
+ if (!X509_digest (peercert, EVP_sha256(), peermd, &peermdlen)
|| !SslSessionCerts)
{
return 0;
@@ -848,7 +848,7 @@
if ((fp = fopen (SslCertFile, "rt")) == NULL)
return 0;
- if (!X509_digest (peercert, EVP_sha1(), peermd, &peermdlen))
+ if (!X509_digest (peercert, EVP_sha256(), peermd, &peermdlen))
{
safe_fclose (&fp);
return 0;
@@ -1083,7 +1083,7 @@
{
if (skip_mode && preverify_ok && (pos == last_pos) && last_cert)
{
- if (X509_digest (last_cert, EVP_sha1(), last_cert_md, &last_cert_mdlen)
&&
+ if (X509_digest (last_cert, EVP_sha256(), last_cert_md,
&last_cert_mdlen) &&
!compare_certificates (cert, last_cert, last_cert_md,
last_cert_mdlen))
{
dprint (2, (debugfile,
