Restrict MD5 in x509 certificates

Remove support for X509 certificates signed with MD5.
Issue raised by Harm Verhagen
diff --git a/library/x509_crt.c b/library/x509_crt.c
index a3517f6..186ecda 100644
--- a/library/x509_crt.c
+++ b/library/x509_crt.c
@@ -1434,6 +1434,18 @@
     return( (int) ( size - n ) );
 }
 
+/*
+ * Check md_alg against profile
+ * Return 0 if md_alg acceptable for this profile, -1 otherwise
+ */
+static int x509_check_md_alg( md_type_t md_alg )
+{
+    if( md_alg >= POLARSSL_MINIMAL_SUPPORTED_MD_ALG )
+        return( 0 );
+
+    return( -1 );
+}
+
 #if defined(POLARSSL_X509_CHECK_KEY_USAGE)
 int x509_crt_check_key_usage( const x509_crt *crt, int usage )
 {
@@ -1542,6 +1554,15 @@
 #endif
 
         /*
+         * Check if CRL is signed with a valid MD
+         */
+        if( x509_check_md_alg( crl_list->sig_md ) != 0 )
+        {
+            flags |= BADCRL_NOT_TRUSTED;
+            break;
+        }
+
+        /*
          * Check if CRL is correctly signed by the trusted CA
          */
         md_info = md_info_from_type( crl_list->sig_md );
@@ -1788,6 +1809,18 @@
      */
     *flags |= BADCERT_NOT_TRUSTED;
 
+    /*
+     * Check if certificate is signed with a valid MD
+     */
+    if( x509_check_md_alg( child->sig_md ) != 0 )
+    {
+        *flags |= BADCERT_NOT_TRUSTED;
+        /*
+         * not signed with a valid MD, no need to check trust_ca
+         */
+        trust_ca = NULL;
+    }
+
     md_info = md_info_from_type( child->sig_md );
     if( md_info == NULL )
     {
@@ -1925,6 +1958,12 @@
     if( x509_time_future( &child->valid_from ) )
         *flags |= BADCERT_FUTURE;
 
+    /*
+     * Check if certificate is signed with a valid MD
+     */
+    if( x509_check_md_alg( child->sig_md ) != 0 )
+        *flags |= BADCERT_NOT_TRUSTED;
+
     md_info = md_info_from_type( child->sig_md );
     if( md_info == NULL )
     {