From 9caf868063fd085ed4b2246f5f8dde91873d1c15 Mon Sep 17 00:00:00 2001
From: Tomas Mraz <tmraz@fedoraproject.org>
Date: Wed, 13 Nov 2013 20:06:28 +0100
Subject: [PATCH] disable verification of certificate, CRL, and OCSP signatures
 using MD5

 if OPENSSL_ENABLE_MD5_VERIFY environment variable is not set
---
 openssl-1.0.1e-no-md5-verify.patch | 25 +++++++++++++++++++++++++
 1 file changed, 25 insertions(+)
 create mode 100644 openssl-1.0.1e-no-md5-verify.patch

diff --git a/openssl-1.0.1e-no-md5-verify.patch b/openssl-1.0.1e-no-md5-verify.patch
new file mode 100644
index 0000000..f379735
--- /dev/null
+++ b/openssl-1.0.1e-no-md5-verify.patch
@@ -0,0 +1,25 @@
+diff -up openssl-1.0.1e/crypto/asn1/a_verify.c.no-md5-verify openssl-1.0.1e/crypto/asn1/a_verify.c
+--- openssl-1.0.1e/crypto/asn1/a_verify.c.no-md5-verify	2013-02-11 16:26:04.000000000 +0100
++++ openssl-1.0.1e/crypto/asn1/a_verify.c	2013-11-13 16:30:04.628791616 +0100
+@@ -56,6 +56,9 @@
+  * [including the GNU Public Licence.]
+  */
+ 
++/* for secure_getenv */
++#define _GNU_SOURCE
++
+ #include <stdio.h>
+ #include <time.h>
+ 
+@@ -171,6 +174,11 @@ int ASN1_item_verify(const ASN1_ITEM *it
+ 			goto err;
+ 		ret = -1;
+ 		}
++	else if (mdnid == NID_md5 && secure_getenv("OPENSSL_ENABLE_MD5_VERIFY") == NULL)
++		{
++		ASN1err(ASN1_F_ASN1_ITEM_VERIFY, ASN1_R_UNKNOWN_MESSAGE_DIGEST_ALGORITHM);
++		goto err;
++		}
+ 	else
+ 		{
+ 		const EVP_MD *type;