openssl/openssl-1.1.0-no-weak-verify.patch

27 lines
969 B
Diff
Raw Normal View History

2017-11-03 15:57:03 +00:00
diff -up openssl-1.1.0g/crypto/asn1/a_verify.c.no-md5-verify openssl-1.1.0g/crypto/asn1/a_verify.c
--- openssl-1.1.0g/crypto/asn1/a_verify.c.no-md5-verify 2017-11-02 15:29:02.000000000 +0100
+++ openssl-1.1.0g/crypto/asn1/a_verify.c 2017-11-03 16:15:46.125801341 +0100
2016-10-11 08:31:54 +00:00
@@ -7,6 +7,9 @@
* https://www.openssl.org/source/license.html
2015-04-23 11:57:26 +00:00
*/
+/* for secure_getenv */
+#define _GNU_SOURCE
+
#include <stdio.h>
#include <time.h>
2017-11-03 15:57:03 +00:00
#include <sys/types.h>
@@ -126,6 +129,12 @@ int ASN1_item_verify(const ASN1_ITEM *it
2015-04-23 11:57:26 +00:00
if (ret != 2)
goto err;
ret = -1;
+ } else if ((mdnid == NID_md5
+ && secure_getenv("OPENSSL_ENABLE_MD5_VERIFY") == NULL) ||
+ mdnid == NID_md4 || mdnid == NID_md2 || mdnid == NID_sha) {
2015-04-23 11:57:26 +00:00
+ ASN1err(ASN1_F_ASN1_ITEM_VERIFY,
+ ASN1_R_UNKNOWN_MESSAGE_DIGEST_ALGORITHM);
+ goto err;
} else {
const EVP_MD *type;
type = EVP_get_digestbynid(mdnid);