From b498ccb314f4218ccb8172a1243e13de7463ab59 Mon Sep 17 00:00:00 2001 From: Miroslav Lichvar Date: Tue, 2 Jun 2009 20:25:28 +0200 Subject: [PATCH] Add support for GNUTLS_CERT_INSECURE_ALGORITHM error code --- mutt_ssl_gnutls.c | 26 ++++++++++++++++++++++++++ 1 file changed, 26 insertions(+) diff --git a/mutt_ssl_gnutls.c b/mutt_ssl_gnutls.c index 4af204e13..55755cdfc 100644 --- a/mutt_ssl_gnutls.c +++ b/mutt_ssl_gnutls.c @@ -41,6 +41,7 @@ #define CERTERR_NOTTRUSTED 8 #define CERTERR_HOSTNAME 16 #define CERTERR_SIGNERNOTCA 32 +#define CERTERR_INSECUREALG 64 typedef struct _tlssockdata { @@ -606,6 +607,13 @@ static int tls_check_preauth (const gnutls_datum_t *certdata, certificate is in our cache. */ certstat ^= GNUTLS_CERT_SIGNER_NOT_CA; } + + if (chainidx == 0 && certstat & GNUTLS_CERT_INSECURE_ALGORITHM) + { + /* doesn't matter that it was signed using an insecure + algorithm, since certificate is in our trusted cache */ + certstat ^= GNUTLS_CERT_INSECURE_ALGORITHM; + } } if (certstat & GNUTLS_CERT_REVOKED) @@ -634,6 +642,13 @@ static int tls_check_preauth (const gnutls_datum_t *certdata, certstat ^= GNUTLS_CERT_SIGNER_NOT_CA; } + if (certstat & GNUTLS_CERT_INSECURE_ALGORITHM) + { + /* NB: already cleared if cert in cache */ + *certerr |= CERTERR_INSECUREALG; + certstat ^= GNUTLS_CERT_INSECURE_ALGORITHM; + } + gnutls_x509_crt_deinit (cert); /* we've been zeroing the interesting bits in certstat - @@ -674,6 +689,17 @@ static int tls_check_one_certificate (const gnutls_datum_t *certdata, &savedcert)) return 1; + /* skip signers if insecure algorithm was used */ + if (idx && (certerr & CERTERR_INSECUREALG)) + { + if (idx == 1) + { + mutt_error (_("Warning: Server certificate was signed using an insecure algorithm")); + mutt_sleep (2); + } + return 0; + } + /* interactive check from user */ if (gnutls_x509_crt_init (&cert) < 0) { -- 2.40.0