openssl/openssl-1.0.1e-no-md5-verify.patch
Tomas Mraz 9caf868063 disable verification of certificate, CRL, and OCSP signatures using MD5
if OPENSSL_ENABLE_MD5_VERIFY environment variable is not set
2013-11-13 20:06:28 +01:00

26 lines
736 B
Diff

diff -up openssl-1.0.1e/crypto/asn1/a_verify.c.no-md5-verify openssl-1.0.1e/crypto/asn1/a_verify.c
--- openssl-1.0.1e/crypto/asn1/a_verify.c.no-md5-verify 2013-02-11 16:26:04.000000000 +0100
+++ openssl-1.0.1e/crypto/asn1/a_verify.c 2013-11-13 16:30:04.628791616 +0100
@@ -56,6 +56,9 @@
* [including the GNU Public Licence.]
*/
+/* for secure_getenv */
+#define _GNU_SOURCE
+
#include <stdio.h>
#include <time.h>
@@ -171,6 +174,11 @@ int ASN1_item_verify(const ASN1_ITEM *it
goto err;
ret = -1;
}
+ else if (mdnid == NID_md5 && secure_getenv("OPENSSL_ENABLE_MD5_VERIFY") == NULL)
+ {
+ ASN1err(ASN1_F_ASN1_ITEM_VERIFY, ASN1_R_UNKNOWN_MESSAGE_DIGEST_ALGORITHM);
+ goto err;
+ }
else
{
const EVP_MD *type;