[crypto] Disable MD5 as an OID-identifiable algorithm by default

Disable the use of MD5 as an OID-identifiable algorithm.  Note that
the MD5 algorithm implementation will still be present in the build,
since it is used implicitly by various cryptographic components such
as HTTP digest authentication; this commit removes it only from the
list of OID-identifiable algorithms.

It would be appropriate to similarly disable the use of SHA-1 by
default, but doing so would break the use of OCSP since several OCSP
responders (including the current version of openca-ocspd) are not
capable of interpreting the hashAlgorithm field and so will fail if
the client uses any algorithm other than the configured default.

Signed-off-by: Michael Brown <mcb30@ipxe.org>

diff --git a/src/config/crypto.h b/src/config/crypto.h
index a87cf92843de99c218b62c231397aae43e9205f1..7c025175849f88b800d16e22b47d71f4cc53c03d 100644 (file)
--- a/src/config/crypto.h
+++ b/src/config/crypto.h
@@ -22,7 +22,7 @@ FILE_LICENCE ( GPL2_OR_LATER_OR_UBDL );
 //#define CRYPTO_DIGEST_MD4
 
 /** MD5 digest algorithm */
-#define CRYPTO_DIGEST_MD5
+//#define CRYPTO_DIGEST_MD5
 
 /** SHA-1 digest algorithm */
 #define CRYPTO_DIGEST_SHA1