Blame SOURCES/openssl-1.1.0-no-weak-verify.patch

e4b8d1
diff -up openssl-1.1.0g/crypto/asn1/a_verify.c.no-md5-verify openssl-1.1.0g/crypto/asn1/a_verify.c
e4b8d1
--- openssl-1.1.0g/crypto/asn1/a_verify.c.no-md5-verify	2017-11-02 15:29:02.000000000 +0100
e4b8d1
+++ openssl-1.1.0g/crypto/asn1/a_verify.c	2017-11-03 16:15:46.125801341 +0100
e4b8d1
@@ -7,6 +7,9 @@
e4b8d1
  * https://www.openssl.org/source/license.html
e4b8d1
  */
e4b8d1
 
e4b8d1
+/* for secure_getenv */
e4b8d1
+#define _GNU_SOURCE
e4b8d1
+
e4b8d1
 #include <stdio.h>
e4b8d1
 #include <time.h>
e4b8d1
 #include <sys/types.h>
e4b8d1
@@ -126,6 +129,12 @@ int ASN1_item_verify(const ASN1_ITEM *it
e4b8d1
         if (ret != 2)
e4b8d1
             goto err;
e4b8d1
         ret = -1;
e4b8d1
+    } else if ((mdnid == NID_md5
e4b8d1
+               && secure_getenv("OPENSSL_ENABLE_MD5_VERIFY") == NULL) ||
e4b8d1
+               mdnid == NID_md4 || mdnid == NID_md2 || mdnid == NID_sha) {
e4b8d1
+        ASN1err(ASN1_F_ASN1_ITEM_VERIFY,
e4b8d1
+                ASN1_R_UNKNOWN_MESSAGE_DIGEST_ALGORITHM);
e4b8d1
+        goto err;
e4b8d1
     } else {
e4b8d1
         const EVP_MD *type;
e4b8d1
         type = EVP_get_digestbynid(mdnid);