From: Michael Brown <mcb30@ipxe.org>
Date: Tue, 16 Jun 2020 22:17:21 +0000 (+0100)
Subject: [crypto] Disable MD5 as an OID-identifiable algorithm by default
X-Git-Tag: v1.21.1~152
X-Git-Url: http://git.ipfire.org/?a=commitdiff_plain;h=7f2006a9ada4a326ac904a8719170227c8860e21;p=thirdparty%2Fipxe.git

[crypto] Disable MD5 as an OID-identifiable algorithm by default

Disable the use of MD5 as an OID-identifiable algorithm.  Note that
the MD5 algorithm implementation will still be present in the build,
since it is used implicitly by various cryptographic components such
as HTTP digest authentication; this commit removes it only from the
list of OID-identifiable algorithms.

It would be appropriate to similarly disable the use of SHA-1 by
default, but doing so would break the use of OCSP since several OCSP
responders (including the current version of openca-ocspd) are not
capable of interpreting the hashAlgorithm field and so will fail if
the client uses any algorithm other than the configured default.

Signed-off-by: Michael Brown <mcb30@ipxe.org>
---

diff --git a/src/config/crypto.h b/src/config/crypto.h
index a87cf9284..7c0251758 100644
--- a/src/config/crypto.h
+++ b/src/config/crypto.h
@@ -22,7 +22,7 @@ FILE_LICENCE ( GPL2_OR_LATER_OR_UBDL );
 //#define CRYPTO_DIGEST_MD4
 
 /** MD5 digest algorithm */
-#define CRYPTO_DIGEST_MD5
+//#define CRYPTO_DIGEST_MD5
 
 /** SHA-1 digest algorithm */
 #define CRYPTO_DIGEST_SHA1