From e2de2924506edec3183648225d5c08b5e29bbf61 Mon Sep 17 00:00:00 2001
From: Nikos Mavrogiannopoulos <nmav@redhat.com>
Date: Fri, 24 Feb 2017 08:46:01 +0100
Subject: verify: is_broken_allowed: account for "new" flag
 GNUTLS_VERIFY_ALLOW_BROKEN

Signed-off-by: Nikos Mavrogiannopoulos <nmav@redhat.com>
---
 lib/x509/verify.c | 4 ++++
 1 file changed, 4 insertions(+)

(limited to 'lib')

diff --git a/lib/x509/verify.c b/lib/x509/verify.c
index 84746d4e85..2a89883513 100644
--- a/lib/x509/verify.c
+++ b/lib/x509/verify.c
@@ -350,12 +350,16 @@ static unsigned int check_time_status(gnutls_x509_crt_t crt, time_t now)
 static
 int is_broken_allowed(gnutls_sign_algorithm_t sig, unsigned int flags)
 {
+	/* the first two are for backwards compatibility */
 	if ((sig == GNUTLS_SIGN_RSA_MD2)
 	    && (flags & GNUTLS_VERIFY_ALLOW_SIGN_RSA_MD2))
 		return 1;
 	if ((sig == GNUTLS_SIGN_RSA_MD5)
 	    && (flags & GNUTLS_VERIFY_ALLOW_SIGN_RSA_MD5))
 		return 1;
+	/* we no longer have individual flags - but rather a catch all */
+	if ((flags & GNUTLS_VERIFY_ALLOW_BROKEN) == GNUTLS_VERIFY_ALLOW_BROKEN)
+		return 1;
 	return 0;
 }
 
-- 
cgit v1.2.1