From: Kevin McCarthy <kevin@8t8.us>
Date: Tue, 14 Mar 2017 01:38:23 +0000 (-0700)
Subject: Change OpenSSL to use SHA-256 for cert comparison. (closes #3924)
X-Git-Tag: mutt-1-9-rel~139
X-Git-Url: https://granicus.if.org/sourcecode?a=commitdiff_plain;h=d9f98ef5b4f150e9e6259d85277269932422fbc2;p=mutt

Change OpenSSL to use SHA-256 for cert comparison. (closes #3924)

Note the GnuTLS code compares the certs directly to check if they are
in the certfile.
---

diff --git a/mutt_ssl.c b/mutt_ssl.c
index 98cb82c0..86c8fb50 100644
--- a/mutt_ssl.c
+++ b/mutt_ssl.c
@@ -771,7 +771,7 @@ static int compare_certificates (X509 *cert, X509 *peercert,
       X509_issuer_name_cmp (cert, peercert) != 0)
     return -1;
 
-  if (!X509_digest (cert, EVP_sha1(), md, &mdlen) || peermdlen != mdlen)
+  if (!X509_digest (cert, EVP_sha256(), md, &mdlen) || peermdlen != mdlen)
     return -1;
 
   if (memcmp(peermd, md, mdlen) != 0)
@@ -787,7 +787,7 @@ static int check_certificate_cache (X509 *peercert)
   X509 *cert;
   int i;
 
-  if (!X509_digest (peercert, EVP_sha1(), peermd, &peermdlen)
+  if (!X509_digest (peercert, EVP_sha256(), peermd, &peermdlen)
       || !SslSessionCerts)
   {
     return 0;
@@ -848,7 +848,7 @@ static int check_certificate_file (X509 *peercert)
   if ((fp = fopen (SslCertFile, "rt")) == NULL)
     return 0;
 
-  if (!X509_digest (peercert, EVP_sha1(), peermd, &peermdlen))
+  if (!X509_digest (peercert, EVP_sha256(), peermd, &peermdlen))
   {
     safe_fclose (&fp);
     return 0;
@@ -1083,7 +1083,7 @@ static int ssl_verify_callback (int preverify_ok, X509_STORE_CTX *ctx)
   {
     if (skip_mode && preverify_ok && (pos == last_pos) && last_cert)
     {
-      if (X509_digest (last_cert, EVP_sha1(), last_cert_md, &last_cert_mdlen) &&
+      if (X509_digest (last_cert, EVP_sha256(), last_cert_md, &last_cert_mdlen) &&
           !compare_certificates (cert, last_cert, last_cert_md, last_cert_mdlen))
       {
         dprint (2, (debugfile,