From 7b595774f01a6264069fd41b6dd65dd6bcb9a94e Mon Sep 17 00:00:00 2001
From: Tomas Mraz <tmraz@fedoraproject.org>
Date: Jun 26 2017 14:28:56 +0000
Subject: disable verification of all insecure hashes


---

diff --git a/openssl-1.1.0-no-md5-verify.patch b/openssl-1.1.0-no-md5-verify.patch
deleted file mode 100644
index e490729..0000000
--- a/openssl-1.1.0-no-md5-verify.patch
+++ /dev/null
@@ -1,25 +0,0 @@
-diff -up openssl-1.1.0-pre6/crypto/asn1/a_verify.c.no-md5-verify openssl-1.1.0-pre6/crypto/asn1/a_verify.c
---- openssl-1.1.0-pre6/crypto/asn1/a_verify.c.no-md5-verify	2016-08-04 16:00:45.000000000 +0200
-+++ openssl-1.1.0-pre6/crypto/asn1/a_verify.c	2016-08-08 16:01:38.382424922 +0200
-@@ -7,6 +7,9 @@
-  * https://www.openssl.org/source/license.html
-  */
- 
-+/* for secure_getenv */
-+#define _GNU_SOURCE
-+
- #include <stdio.h>
- #include <time.h>
- 
-@@ -129,6 +132,11 @@ int ASN1_item_verify(const ASN1_ITEM *it
-         if (ret != 2)
-             goto err;
-         ret = -1;
-+    } else if (mdnid == NID_md5
-+               && secure_getenv("OPENSSL_ENABLE_MD5_VERIFY") == NULL) {
-+        ASN1err(ASN1_F_ASN1_ITEM_VERIFY,
-+                ASN1_R_UNKNOWN_MESSAGE_DIGEST_ALGORITHM);
-+        goto err;
-     } else {
-         const EVP_MD *type;
-         type = EVP_get_digestbynid(mdnid);
diff --git a/openssl-1.1.0-no-weak-verify.patch b/openssl-1.1.0-no-weak-verify.patch
new file mode 100644
index 0000000..406d7a0
--- /dev/null
+++ b/openssl-1.1.0-no-weak-verify.patch
@@ -0,0 +1,26 @@
+diff -up openssl-1.1.0f/crypto/asn1/a_verify.c.no-weak-verify openssl-1.1.0f/crypto/asn1/a_verify.c
+--- openssl-1.1.0f/crypto/asn1/a_verify.c.no-weak-verify	2017-05-25 14:46:18.000000000 +0200
++++ openssl-1.1.0f/crypto/asn1/a_verify.c	2017-06-26 16:26:49.496989272 +0200
+@@ -7,6 +7,9 @@
+  * https://www.openssl.org/source/license.html
+  */
+ 
++/* for secure_getenv */
++#define _GNU_SOURCE
++
+ #include <stdio.h>
+ #include <time.h>
+ 
+@@ -129,6 +132,12 @@ int ASN1_item_verify(const ASN1_ITEM *it
+         if (ret != 2)
+             goto err;
+         ret = -1;
++    } else if ((mdnid == NID_md5
++               && secure_getenv("OPENSSL_ENABLE_MD5_VERIFY") == NULL) ||
++               mdnid == NID_md4 || mdnid == NID_md2 || mdnid == NID_sha) {
++        ASN1err(ASN1_F_ASN1_ITEM_VERIFY,
++                ASN1_R_UNKNOWN_MESSAGE_DIGEST_ALGORITHM);
++        goto err;
+     } else {
+         const EVP_MD *type;
+         type = EVP_get_digestbynid(mdnid);
diff --git a/openssl.spec b/openssl.spec
index 45be0ad..985bfcb 100644
--- a/openssl.spec
+++ b/openssl.spec
@@ -22,7 +22,7 @@
 Summary: Utilities from the general purpose cryptography library with TLS implementation
 Name: openssl
 Version: 1.1.0f
-Release: 4%{?dist}
+Release: 5%{?dist}
 Epoch: 1
 # We have to remove certain patented algorithms from the openssl source
 # tarball with the hobble-openssl script which is included below.
@@ -53,7 +53,7 @@ Patch34: openssl-1.1.0-starttls-xmpp.patch
 Patch35: openssl-1.1.0-chil-fixes.patch
 Patch36: openssl-1.1.0-secure-getenv.patch
 Patch37: openssl-1.1.0-ec-curves.patch
-Patch38: openssl-1.1.0-no-md5-verify.patch
+Patch38: openssl-1.1.0-no-weak-verify.patch
 Patch39: openssl-1.1.0-cc-reqs.patch
 Patch40: openssl-1.1.0-disable-ssl3.patch
 Patch41: openssl-1.1.0-system-cipherlist.patch
@@ -436,6 +436,9 @@ export LD_LIBRARY_PATH
 %postun libs -p /sbin/ldconfig
 
 %changelog
+* Mon Jun 26 2017 Tomáš Mráz <tmraz@redhat.com> 1.1.0f-5
+- disable verification of all insecure hashes
+
 * Fri Jun 23 2017 Tomáš Mráz <tmraz@redhat.com> 1.1.0f-4
 - make DTLS work (#1462541)