From 7b595774f01a6264069fd41b6dd65dd6bcb9a94e Mon Sep 17 00:00:00 2001
From: Tomas Mraz <tmraz@fedoraproject.org>
Date: Mon, 26 Jun 2017 16:28:56 +0200
Subject: [PATCH] disable verification of all insecure hashes

---
 ...rify.patch => openssl-1.1.0-no-weak-verify.patch | 13 +++++++------
 openssl.spec                                        |  7 +++++--
 2 files changed, 12 insertions(+), 8 deletions(-)
 rename openssl-1.1.0-no-md5-verify.patch => openssl-1.1.0-no-weak-verify.patch (52%)

diff --git a/openssl-1.1.0-no-md5-verify.patch b/openssl-1.1.0-no-weak-verify.patch
similarity index 52%
rename from openssl-1.1.0-no-md5-verify.patch
rename to openssl-1.1.0-no-weak-verify.patch
index e490729..406d7a0 100644
--- a/openssl-1.1.0-no-md5-verify.patch
+++ b/openssl-1.1.0-no-weak-verify.patch
@@ -1,6 +1,6 @@
-diff -up openssl-1.1.0-pre6/crypto/asn1/a_verify.c.no-md5-verify openssl-1.1.0-pre6/crypto/asn1/a_verify.c
---- openssl-1.1.0-pre6/crypto/asn1/a_verify.c.no-md5-verify	2016-08-04 16:00:45.000000000 +0200
-+++ openssl-1.1.0-pre6/crypto/asn1/a_verify.c	2016-08-08 16:01:38.382424922 +0200
+diff -up openssl-1.1.0f/crypto/asn1/a_verify.c.no-weak-verify openssl-1.1.0f/crypto/asn1/a_verify.c
+--- openssl-1.1.0f/crypto/asn1/a_verify.c.no-weak-verify	2017-05-25 14:46:18.000000000 +0200
++++ openssl-1.1.0f/crypto/asn1/a_verify.c	2017-06-26 16:26:49.496989272 +0200
 @@ -7,6 +7,9 @@
   * https://www.openssl.org/source/license.html
   */
@@ -11,12 +11,13 @@ diff -up openssl-1.1.0-pre6/crypto/asn1/a_verify.c.no-md5-verify openssl-1.1.0-p
  #include <stdio.h>
  #include <time.h>
  
-@@ -129,6 +132,11 @@ int ASN1_item_verify(const ASN1_ITEM *it
+@@ -129,6 +132,12 @@ int ASN1_item_verify(const ASN1_ITEM *it
          if (ret != 2)
              goto err;
          ret = -1;
-+    } else if (mdnid == NID_md5
-+               && secure_getenv("OPENSSL_ENABLE_MD5_VERIFY") == NULL) {
++    } else if ((mdnid == NID_md5
++               && secure_getenv("OPENSSL_ENABLE_MD5_VERIFY") == NULL) ||
++               mdnid == NID_md4 || mdnid == NID_md2 || mdnid == NID_sha) {
 +        ASN1err(ASN1_F_ASN1_ITEM_VERIFY,
 +                ASN1_R_UNKNOWN_MESSAGE_DIGEST_ALGORITHM);
 +        goto err;
diff --git a/openssl.spec b/openssl.spec
index 45be0ad..985bfcb 100644
--- a/openssl.spec
+++ b/openssl.spec
@@ -22,7 +22,7 @@
 Summary: Utilities from the general purpose cryptography library with TLS implementation
 Name: openssl
 Version: 1.1.0f
-Release: 4%{?dist}
+Release: 5%{?dist}
 Epoch: 1
 # We have to remove certain patented algorithms from the openssl source
 # tarball with the hobble-openssl script which is included below.
@@ -53,7 +53,7 @@ Patch34: openssl-1.1.0-starttls-xmpp.patch
 Patch35: openssl-1.1.0-chil-fixes.patch
 Patch36: openssl-1.1.0-secure-getenv.patch
 Patch37: openssl-1.1.0-ec-curves.patch
-Patch38: openssl-1.1.0-no-md5-verify.patch
+Patch38: openssl-1.1.0-no-weak-verify.patch
 Patch39: openssl-1.1.0-cc-reqs.patch
 Patch40: openssl-1.1.0-disable-ssl3.patch
 Patch41: openssl-1.1.0-system-cipherlist.patch
@@ -436,6 +436,9 @@ export LD_LIBRARY_PATH
 %postun libs -p /sbin/ldconfig
 
 %changelog
+* Mon Jun 26 2017 Tomáš Mráz <tmraz@redhat.com> 1.1.0f-5
+- disable verification of all insecure hashes
+
 * Fri Jun 23 2017 Tomáš Mráz <tmraz@redhat.com> 1.1.0f-4
 - make DTLS work (#1462541)