From 7f2006a9ada4a326ac904a8719170227c8860e21 Mon Sep 17 00:00:00 2001
From: Michael Brown <mcb30@ipxe.org>
Date: Tue, 16 Jun 2020 23:17:21 +0100
Subject: [PATCH] [crypto] Disable MD5 as an OID-identifiable algorithm by
 default

Disable the use of MD5 as an OID-identifiable algorithm.  Note that
the MD5 algorithm implementation will still be present in the build,
since it is used implicitly by various cryptographic components such
as HTTP digest authentication; this commit removes it only from the
list of OID-identifiable algorithms.

It would be appropriate to similarly disable the use of SHA-1 by
default, but doing so would break the use of OCSP since several OCSP
responders (including the current version of openca-ocspd) are not
capable of interpreting the hashAlgorithm field and so will fail if
the client uses any algorithm other than the configured default.

Signed-off-by: Michael Brown <mcb30@ipxe.org>
---
 src/config/crypto.h | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/src/config/crypto.h b/src/config/crypto.h
index a87cf9284..7c0251758 100644
--- a/src/config/crypto.h
+++ b/src/config/crypto.h
@@ -22,7 +22,7 @@ FILE_LICENCE ( GPL2_OR_LATER_OR_UBDL );
 //#define CRYPTO_DIGEST_MD4
 
 /** MD5 digest algorithm */
-#define CRYPTO_DIGEST_MD5
+//#define CRYPTO_DIGEST_MD5
 
 /** SHA-1 digest algorithm */
 #define CRYPTO_DIGEST_SHA1