disable verification of certificate, CRL, and OCSP signatures using MD5

if OPENSSL_ENABLE_MD5_VERIFY environment variable is not set
2013-11-13 20:06:28 +01:00 · 2013-11-13 20:06:28 +01:00 · 9caf868063
parent dcd0fb1ec9
commit 9caf868063
1 changed files with 25 additions and 0 deletions
--- a/openssl-1.0.1e-no-md5-verify.patch
+++ b/openssl-1.0.1e-no-md5-verify.patch
@ -0,0 +1,25 @@
+diff -up openssl-1.0.1e/crypto/asn1/a_verify.c.no-md5-verify openssl-1.0.1e/crypto/asn1/a_verify.c
+--- openssl-1.0.1e/crypto/asn1/a_verify.c.no-md5-verify	2013-02-11 16:26:04.000000000 +0100
+++ openssl-1.0.1e/crypto/asn1/a_verify.c	2013-11-13 16:30:04.628791616 +0100
+@@ -56,6 +56,9 @@
+  * [including the GNU Public Licence.]
+  */
+ 
+/* for secure_getenv */
+#define _GNU_SOURCE
+
+ #include <stdio.h>
+ #include <time.h>
+ 
+@@ -171,6 +174,11 @@ int ASN1_item_verify(const ASN1_ITEM *it
+ 			goto err;
+ 		ret = -1;
+ 		}
+	else if (mdnid == NID_md5 && secure_getenv("OPENSSL_ENABLE_MD5_VERIFY") == NULL)
+		{
+		ASN1err(ASN1_F_ASN1_ITEM_VERIFY, ASN1_R_UNKNOWN_MESSAGE_DIGEST_ALGORITHM);
+		goto err;
+		}
+ 	else
+ 		{
+ 		const EVP_MD *type;