[openssl] disable verification of certificate, CRL, and OCSP signatures using MD5
Tomáš Mráz
tmraz at fedoraproject.org
Wed Nov 13 19:06:07 UTC 2013
commit 9caf868063fd085ed4b2246f5f8dde91873d1c15
Author: Tomas Mraz <tmraz at fedoraproject.org>
Date: Wed Nov 13 20:06:28 2013 +0100
disable verification of certificate, CRL, and OCSP signatures using MD5
if OPENSSL_ENABLE_MD5_VERIFY environment variable is not set
openssl-1.0.1e-no-md5-verify.patch | 25 +++++++++++++++++++++++++
1 files changed, 25 insertions(+), 0 deletions(-)
---
diff --git a/openssl-1.0.1e-no-md5-verify.patch b/openssl-1.0.1e-no-md5-verify.patch
new file mode 100644
index 0000000..f379735
--- /dev/null
+++ b/openssl-1.0.1e-no-md5-verify.patch
@@ -0,0 +1,25 @@
+diff -up openssl-1.0.1e/crypto/asn1/a_verify.c.no-md5-verify openssl-1.0.1e/crypto/asn1/a_verify.c
+--- openssl-1.0.1e/crypto/asn1/a_verify.c.no-md5-verify 2013-02-11 16:26:04.000000000 +0100
++++ openssl-1.0.1e/crypto/asn1/a_verify.c 2013-11-13 16:30:04.628791616 +0100
+@@ -56,6 +56,9 @@
+ * [including the GNU Public Licence.]
+ */
+
++/* for secure_getenv */
++#define _GNU_SOURCE
++
+ #include <stdio.h>
+ #include <time.h>
+
+@@ -171,6 +174,11 @@ int ASN1_item_verify(const ASN1_ITEM *it
+ goto err;
+ ret = -1;
+ }
++ else if (mdnid == NID_md5 && secure_getenv("OPENSSL_ENABLE_MD5_VERIFY") == NULL)
++ {
++ ASN1err(ASN1_F_ASN1_ITEM_VERIFY, ASN1_R_UNKNOWN_MESSAGE_DIGEST_ALGORITHM);
++ goto err;
++ }
+ else
+ {
+ const EVP_MD *type;
More information about the scm-commits
mailing list