rpms
/
openssl
2
0
Fork 0
Code Issues Pull Requests Releases Wiki Activity

disable verification of all insecure hashes

This commit is contained in:
Tomas Mraz 2017-06-26 16:28:56 +02:00
parent 226b42827c
commit 7b595774f0
2 changed files with 12 additions and 8 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

13
openssl-1.1.0-no-md5-verify.patch → openssl-1.1.0-no-weak-verify.patch
View File

@ -1,6 +1,6 @@
diff -up openssl-1.1.0-pre6/crypto/asn1/a_verify.c.no-md5-verify openssl-1.1.0-pre6/crypto/asn1/a_verify.c
--- openssl-1.1.0-pre6/crypto/asn1/a_verify.c.no-md5-verify 2016-08-04 16:00:45.000000000 +0200
+++ openssl-1.1.0-pre6/crypto/asn1/a_verify.c 2016-08-08 16:01:38.382424922 +0200
diff -up openssl-1.1.0f/crypto/asn1/a_verify.c.no-weak-verify openssl-1.1.0f/crypto/asn1/a_verify.c
--- openssl-1.1.0f/crypto/asn1/a_verify.c.no-weak-verify 2017-05-25 14:46:18.000000000 +0200
+++ openssl-1.1.0f/crypto/asn1/a_verify.c 2017-06-26 16:26:49.496989272 +0200
@@ -7,6 +7,9 @@
* https://www.openssl.org/source/license.html
*/
@ -11,12 +11,13 @@ diff -up openssl-1.1.0-pre6/crypto/asn1/a_verify.c.no-md5-verify openssl-1.1.0-p
#include <stdio.h>
#include <time.h>
@@ -129,6 +132,11 @@ int ASN1_item_verify(const ASN1_ITEM *it
@@ -129,6 +132,12 @@ int ASN1_item_verify(const ASN1_ITEM *it
if (ret != 2)
goto err;
ret = -1;
+ } else if (mdnid == NID_md5
+ && secure_getenv("OPENSSL_ENABLE_MD5_VERIFY") == NULL) {
+ } else if ((mdnid == NID_md5
+ && secure_getenv("OPENSSL_ENABLE_MD5_VERIFY") == NULL) ||
+ mdnid == NID_md4 || mdnid == NID_md2 || mdnid == NID_sha) {
+ ASN1err(ASN1_F_ASN1_ITEM_VERIFY,
+ ASN1_R_UNKNOWN_MESSAGE_DIGEST_ALGORITHM);
+ goto err;

7
openssl.spec
View File

@ -22,7 +22,7 @@
Summary: Utilities from the general purpose cryptography library with TLS implementation
Name: openssl
Version: 1.1.0f
Release: 4%{?dist}
Release: 5%{?dist}
Epoch: 1
# We have to remove certain patented algorithms from the openssl source
# tarball with the hobble-openssl script which is included below.
@ -53,7 +53,7 @@ Patch34: openssl-1.1.0-starttls-xmpp.patch
Patch35: openssl-1.1.0-chil-fixes.patch
Patch36: openssl-1.1.0-secure-getenv.patch
Patch37: openssl-1.1.0-ec-curves.patch
Patch38: openssl-1.1.0-no-md5-verify.patch
Patch38: openssl-1.1.0-no-weak-verify.patch
Patch39: openssl-1.1.0-cc-reqs.patch
Patch40: openssl-1.1.0-disable-ssl3.patch
Patch41: openssl-1.1.0-system-cipherlist.patch
@ -436,6 +436,9 @@ export LD_LIBRARY_PATH
%postun libs -p /sbin/ldconfig
%changelog
* Mon Jun 26 2017 Tomáš Mráz <tmraz@redhat.com> 1.1.0f-5
- disable verification of all insecure hashes
* Fri Jun 23 2017 Tomáš Mráz <tmraz@redhat.com> 1.1.0f-4
- make DTLS work (#1462541)