From fc8b2977d0b92f5a2e62131e398857ee431bff6e Mon Sep 17 00:00:00 2001
From: rpm-build <rpm-build>
Date: Wed, 6 Mar 2024 19:17:14 +0100
Subject: [PATCH 05/50] RH: Disable signature verification with bad digests -
 REVIEW

Patch-name: 0006-Disable-signature-verification-with-totally-unsafe-h.patch
Patch-id: 6
Patch-status: |
    # # Disable signature verification with totally unsafe hash algorithms
From-dist-git-commit: 4334bc837fbc64d14890fdc51679a80770d498ce
---
 crypto/asn1/a_verify.c | 5 +++++
 1 file changed, 5 insertions(+)

diff --git a/crypto/asn1/a_verify.c b/crypto/asn1/a_verify.c
index f6cac80962..fbc6ce6e30 100644
--- a/crypto/asn1/a_verify.c
+++ b/crypto/asn1/a_verify.c
@@ -151,6 +151,11 @@ int ASN1_item_verify_ctx(const ASN1_ITEM *it, const X509_ALGOR *alg,
             ERR_raise(ERR_LIB_ASN1, ERR_R_EVP_LIB);
         if (ret <= 1)
             goto err;
+    } else if ((mdnid == NID_md5
+               && ossl_safe_getenv("OPENSSL_ENABLE_MD5_VERIFY") == NULL) ||
+               mdnid == NID_md4 || mdnid == NID_md2 || mdnid == NID_sha) {
+        ERR_raise(ERR_LIB_ASN1, ASN1_R_UNKNOWN_MESSAGE_DIGEST_ALGORITHM);
+        goto err;
     } else {
         const EVP_MD *type = NULL;
 
-- 
2.49.0