diff options
Diffstat (limited to 'lib/x509/verify.c')
-rw-r--r-- | lib/x509/verify.c | 12 |
1 files changed, 10 insertions, 2 deletions
diff --git a/lib/x509/verify.c b/lib/x509/verify.c index 2ba65aca50..638aa1e5a2 100644 --- a/lib/x509/verify.c +++ b/lib/x509/verify.c @@ -390,6 +390,12 @@ static unsigned int check_time_status(gnutls_x509_crt_t crt, time_t now) static int is_broken_allowed(gnutls_sign_algorithm_t sig, unsigned int flags) { + gnutls_digest_algorithm_t hash; + + /* we have a catch all */ + if ((flags & GNUTLS_VERIFY_ALLOW_BROKEN) == GNUTLS_VERIFY_ALLOW_BROKEN) + return 1; + /* the first two are for backwards compatibility */ if ((sig == GNUTLS_SIGN_RSA_MD2) && (flags & GNUTLS_VERIFY_ALLOW_SIGN_RSA_MD2)) @@ -397,9 +403,11 @@ int is_broken_allowed(gnutls_sign_algorithm_t sig, unsigned int flags) if ((sig == GNUTLS_SIGN_RSA_MD5) && (flags & GNUTLS_VERIFY_ALLOW_SIGN_RSA_MD5)) return 1; - /* we no longer have individual flags - but rather a catch all */ - if ((flags & GNUTLS_VERIFY_ALLOW_BROKEN) == GNUTLS_VERIFY_ALLOW_BROKEN) + + hash = gnutls_sign_get_hash_algorithm(sig); + if (hash == GNUTLS_DIG_SHA1 && (flags & GNUTLS_VERIFY_ALLOW_SIGN_WITH_SHA1)) return 1; + return 0; } |