From: Nikos Mavrogiannopoulos <nmav@redhat.com>
Date: Mon, 3 Jul 2017 07:58:35 +0000 (+0200)
Subject: gnutls-cli: added option to allow verification with broken algorithms
X-Git-Tag: gnutls_3_6_0~334
X-Git-Url: http://git.ipfire.org/gitweb.cgi?a=commitdiff_plain;h=8bd7e1b0bd3bd6efc8fb35158e0b68014fcfce62;p=thirdparty%2Fgnutls.git

gnutls-cli: added option to allow verification with broken algorithms

Signed-off-by: Nikos Mavrogiannopoulos <nmav@redhat.com>
---

diff --git a/src/cli-args.def b/src/cli-args.def
index f2e1ce1cc5..4642237c28 100644
--- a/src/cli-args.def
+++ b/src/cli-args.def
@@ -252,6 +252,12 @@ flag = {
     doc      = "";
 };
 
+flag = {
+    name      = verify-allow-broken;
+    descrip   = "Allow broken algorithms, such as MD5 for certificate verification";
+    doc = "";
+};
+
 flag = {
     name      = ranges;
     descrip   = "Use length-hiding padding to prevent traffic analysis";
diff --git a/src/cli.c b/src/cli.c
index 7fb73d4f7e..28acc92218 100644
--- a/src/cli.c
+++ b/src/cli.c
@@ -78,6 +78,7 @@
 /* global stuff here */
 int resume, starttls, insecure, ranges, rehandshake, udp, mtu,
     inline_commands;
+unsigned int global_vflags = 0;
 char *hostname = NULL;
 char service[32]="";
 int record_max_size;
@@ -1454,6 +1455,10 @@ static void cmd_parser(int argc, char **argv)
 	insecure = HAVE_OPT(INSECURE);
 	ranges = HAVE_OPT(RANGES);
 
+	if (insecure || HAVE_OPT(VERIFY_ALLOW_BROKEN)) {
+		global_vflags |= GNUTLS_VERIFY_ALLOW_BROKEN;
+	}
+
 	udp = HAVE_OPT(UDP);
 	mtu = OPT_VALUE_MTU;
 
@@ -1706,6 +1711,8 @@ static void init_global_tls_stuff(void)
 	}
 	gnutls_certificate_set_pin_function(xcred, pin_callback, NULL);
 
+	gnutls_certificate_set_verify_flags(xcred, global_vflags);
+
 	if (x509_cafile != NULL) {
 		ret = gnutls_certificate_set_x509_trust_file(xcred,
 							     x509_cafile,