summaryrefslogtreecommitdiff
path: root/pith
diff options
context:
space:
mode:
authorEduardo Chappa <chappa@washington.edu>2016-11-21 15:27:17 -0700
committerEduardo Chappa <chappa@washington.edu>2016-11-21 15:27:17 -0700
commitf2111e1cf184a4c32b97542470294ebf47e6caea (patch)
treeca77ea7bfbd0ac676f375fb32c93cb38297d05b3 /pith
parent608be97a394100c9af90f404ea0fe51b0f378eac (diff)
downloadalpine-f2111e1cf184a4c32b97542470294ebf47e6caea.tar.xz
* SMIME: Change the default signature digest from sha1 to sha-256,
since clients such as Thunderbird do not validate signatures that use sha1 digest.
Diffstat (limited to 'pith')
-rw-r--r--pith/pine.hlp5
-rw-r--r--pith/smime.c15
2 files changed, 15 insertions, 5 deletions
diff --git a/pith/pine.hlp b/pith/pine.hlp
index 506cd2f3..d7e94ed1 100644
--- a/pith/pine.hlp
+++ b/pith/pine.hlp
@@ -140,7 +140,7 @@ with help text for the config screen and the composer that didn't have any
reasonable place to be called from.
Dummy change to get revision in pine.hlp
============= h_revision =================
-Alpine Commit 181 2016-11-18 23:17:58
+Alpine Commit 182 2016-11-21 15:27:11
============= h_news =================
<HTML>
<HEAD>
@@ -213,6 +213,9 @@ Additions include:
that allows users to ignore errors in the computation of the size
of a message from defective servers.
+ <LI> SMIME: Upgrade the default signature digest from sha1 to sha-256, since
+ clients such as Thunderbird do not validate signatures that use sha1 digest.
+
<LI> Add the configuration variable "default-directories", which is called
<A href="h_config_history"><!--#echo var="VAR_default-directories"--></A>
variable saves a list of directories that are readily accessible
diff --git a/pith/smime.c b/pith/smime.c
index 43e7375b..76fbdc91 100644
--- a/pith/smime.c
+++ b/pith/smime.c
@@ -3661,6 +3661,7 @@ sign_outgoing_message(METAENV *header, BODY **bodyP, int dont_detach, BODY **bp)
PKCS7 *p7 = NULL;
PKCS7 *p7_2 = NULL;
STACK_OF(X509) *chain;
+ const EVP_MD *md = EVP_sha256(); /* use this digest instead of sha1 */
int result = 0, error;
int flags = dont_detach ? 0 : PKCS7_DETACHED;
int level;
@@ -3701,7 +3702,10 @@ sign_outgoing_message(METAENV *header, BODY **bodyP, int dont_detach, BODY **bp)
in = body_to_bio(body);
- p7 = PKCS7_sign(pcert->cert, pcert->key, chain, in, flags);
+ flags |= PKCS7_PARTIAL;
+ if((p7 = PKCS7_sign(NULL, NULL, chain, in, flags)) != NULL
+ && PKCS7_sign_add_signer(p7, pcert->cert, pcert->key, md, flags))
+ PKCS7_final(p7, in, flags);
if(bp && *bp){
int i, save_encoding;
@@ -3722,8 +3726,11 @@ sign_outgoing_message(METAENV *header, BODY **bodyP, int dont_detach, BODY **bp)
}
}
- if(bp && *bp)
- p7_2 = PKCS7_sign(pcert->cert, pcert->key, chain, in_2, flags);
+ if(bp && *bp){
+ if((p7_2 = PKCS7_sign(NULL, NULL, chain, in_2, flags)) != NULL
+ && PKCS7_sign_add_signer(p7_2, pcert->cert, pcert->key, md, flags))
+ PKCS7_final(p7_2, in_2, flags);
+ }
if(F_OFF(F_REMEMBER_SMIME_PASSPHRASE,ps_global))
forget_private_keys();
@@ -3786,7 +3793,7 @@ sign_outgoing_message(METAENV *header, BODY **bodyP, int dont_detach, BODY **bp)
newBody->encoding = ENC7BIT;
set_parameter(&newBody->parameter, "protocol", "application/pkcs7-signature");
- set_parameter(&newBody->parameter, "micalg", "sha1");
+ set_parameter(&newBody->parameter, "micalg", "sha-256");
p1 = mail_newbody_part();
p2 = mail_newbody_part();