| 1 |
From 3f9deff30ae6efbfe979043b00cdf649b39793c0 Mon Sep 17 00:00:00 2001 |
| 2 |
From: Tomas Mraz <tmraz@fedoraproject.org> |
| 3 |
Date: Thu, 24 Sep 2020 09:51:34 +0200 |
| 4 |
Subject: Disable signature verification with totally unsafe hash algorithms |
| 5 |
|
| 6 |
(was openssl-1.1.1-no-weak-verify.patch) |
| 7 |
--- |
| 8 |
crypto/asn1/a_verify.c | 5 +++++ |
| 9 |
1 file changed, 5 insertions(+) |
| 10 |
|
| 11 |
diff --git a/crypto/asn1/a_verify.c b/crypto/asn1/a_verify.c |
| 12 |
index b7eed914b0..af62f0ef08 100644 |
| 13 |
--- a/crypto/asn1/a_verify.c |
| 14 |
+++ b/crypto/asn1/a_verify.c |
| 15 |
@@ -152,6 +152,11 @@ int ASN1_item_verify_ctx(const ASN1_ITEM *it, const X509_ALGOR *alg, |
| 16 |
ERR_raise(ERR_LIB_ASN1, ERR_R_EVP_LIB); |
| 17 |
if (ret <= 1) |
| 18 |
goto err; |
| 19 |
+ } else if ((mdnid == NID_md5 |
| 20 |
+ && ossl_safe_getenv("OPENSSL_ENABLE_MD5_VERIFY") == NULL) || |
| 21 |
+ mdnid == NID_md4 || mdnid == NID_md2 || mdnid == NID_sha) { |
| 22 |
+ ERR_raise(ERR_LIB_ASN1, ASN1_R_UNKNOWN_MESSAGE_DIGEST_ALGORITHM); |
| 23 |
+ goto err; |
| 24 |
} else { |
| 25 |
const EVP_MD *type = NULL; |
| 26 |
|
| 27 |
-- |
| 28 |
2.26.2 |
| 29 |
|
Parent Directory
| 
Revision Log
| 
Revision Graph
