296ae60f11
Resolves: RHEL-80811 Resolves: RHEL-57022 Resolves: RHEL-24098 Resolves: RHEL-24097 Resolves: RHEL-86865
35 lines
1.2 KiB
Diff
35 lines
1.2 KiB
Diff
From fc8b2977d0b92f5a2e62131e398857ee431bff6e Mon Sep 17 00:00:00 2001
|
|
From: rpm-build <rpm-build>
|
|
Date: Wed, 6 Mar 2024 19:17:14 +0100
|
|
Subject: [PATCH 05/50] RH: Disable signature verification with bad digests -
|
|
REVIEW
|
|
|
|
Patch-name: 0006-Disable-signature-verification-with-totally-unsafe-h.patch
|
|
Patch-id: 6
|
|
Patch-status: |
|
|
# # Disable signature verification with totally unsafe hash algorithms
|
|
From-dist-git-commit: 4334bc837fbc64d14890fdc51679a80770d498ce
|
|
---
|
|
crypto/asn1/a_verify.c | 5 +++++
|
|
1 file changed, 5 insertions(+)
|
|
|
|
diff --git a/crypto/asn1/a_verify.c b/crypto/asn1/a_verify.c
|
|
index f6cac80962..fbc6ce6e30 100644
|
|
--- a/crypto/asn1/a_verify.c
|
|
+++ b/crypto/asn1/a_verify.c
|
|
@@ -151,6 +151,11 @@ int ASN1_item_verify_ctx(const ASN1_ITEM *it, const X509_ALGOR *alg,
|
|
ERR_raise(ERR_LIB_ASN1, ERR_R_EVP_LIB);
|
|
if (ret <= 1)
|
|
goto err;
|
|
+ } else if ((mdnid == NID_md5
|
|
+ && ossl_safe_getenv("OPENSSL_ENABLE_MD5_VERIFY") == NULL) ||
|
|
+ mdnid == NID_md4 || mdnid == NID_md2 || mdnid == NID_sha) {
|
|
+ ERR_raise(ERR_LIB_ASN1, ASN1_R_UNKNOWN_MESSAGE_DIGEST_ALGORITHM);
|
|
+ goto err;
|
|
} else {
|
|
const EVP_MD *type = NULL;
|
|
|
|
--
|
|
2.49.0
|
|
|