Please find attached below a patch that adds support for the use of sha256 in
certificate comparisons. It also addresses a problem in which sha1 comparison
was attempted as long as OPENSSL_NO_SHA was absent even when OPENSSL_NO_SHA1
was defined
Best Regards
Nick
------------
diff --git a/crypto/x509/x509.h b/crypto/x509/x509.h
index 092dd74..3e0154b 100755
--- a/crypto/x509/x509.h
+++ b/crypto/x509/x509.h
@@ -303,7 +303,13 @@ struct x509_st
struct ASIdentifiers_st *rfc3779_asid;
#endif
#ifndef OPENSSL_NO_SHA
- unsigned char sha1_hash[SHA_DIGEST_LENGTH];
+#ifndef OPENSSL_NO_SHA256
+ unsigned char cmp_hash[SHA256_DIGEST_LENGTH];
+#else
+#ifndef OPENSSL_NO_SHA1
+ unsigned char cmp_hash[SHA_DIGEST_LENGTH];
+#endif
+#endif
#endif
X509_CERT_AUX *aux;
} /* X509 */;
@@ -476,7 +482,13 @@ struct X509_crl_st
ASN1_INTEGER *crl_number;
ASN1_INTEGER *base_crl_number;
#ifndef OPENSSL_NO_SHA
- unsigned char sha1_hash[SHA_DIGEST_LENGTH];
+#ifndef OPENSSL_NO_SHA256
+ unsigned char cmp_hash[SHA256_DIGEST_LENGTH];
+#else
+#ifndef OPENSSL_NO_SHA1
+ unsigned char cmp_hash[SHA_DIGEST_LENGTH];
+#endif
+#endif
#endif
STACK_OF(GENERAL_NAMES) *issuers;
const X509_CRL_METHOD *meth;
diff --git a/crypto/x509/x509_cmp.c b/crypto/x509/x509_cmp.c
index 80ebcd3..e1d5c95 100755
--- a/crypto/x509/x509_cmp.c
+++ b/crypto/x509/x509_cmp.c
@@ -120,10 +120,14 @@ int X509_CRL_cmp(const X509_CRL *a, const X509_CRL *b)
return(X509_NAME_cmp(a->crl->issuer,b->crl->issuer));
}
-#ifndef OPENSSL_NO_SHA
+#if !defined(OPENSSL_NO_SHA) && (!defined(OPENSSL_NO_SHA1) ||
!defined(OPENSSL_NO_SHA256))
int X509_CRL_match(const X509_CRL *a, const X509_CRL *b)
{
- return memcmp(a->sha1_hash, b->sha1_hash, 20);
+#ifndef OPENSSL_NO_SHA256
+ return memcmp(a->cmp_hash, b->cmp_hash, SHA256_DIGEST_LENGTH);
+#else
+ return memcmp(a->cmp_hash, b->cmp_hash, SHA_DIGEST_LENGTH);
+#endif
}
#endif
@@ -166,7 +170,7 @@ unsigned long X509_subject_name_hash_old(X509 *x)
}
#endif
-#ifndef OPENSSL_NO_SHA
+#if !defined(OPENSSL_NO_SHA) && (!defined(OPENSSL_NO_SHA1) ||
!defined(OPENSSL_NO_SHA256))
/* Compare two certificates: they must be identical for
* this to work. NB: Although "cmp" operations are generally
* prototyped to take "const" arguments (eg. for use in
@@ -181,8 +185,11 @@ int X509_cmp(const X509 *a, const X509 *b)
/* ensure hash is valid */
X509_check_purpose((X509 *)a, -1, 0);
X509_check_purpose((X509 *)b, -1, 0);
-
- return memcmp(a->sha1_hash, b->sha1_hash, SHA_DIGEST_LENGTH);
+#ifndef OPENSSL_NO_SHA256
+ return memcmp(a->cmp_hash, b->cmp_hash, SHA256_DIGEST_LENGTH);
+#else
+ return memcmp(a->cmp_hash, b->cmp_hash, SHA_DIGEST_LENGTH);
+#endif
}
#endif
diff --git a/crypto/ts/ts.h b/crypto/ts/ts.h
index 190e8a1..f8b23c2 100755
--- a/crypto/ts/ts.h
+++ b/crypto/ts/ts.h
@@ -263,7 +263,7 @@ ESSCertID ::= SEQUENCE {
typedef struct ESS_cert_id
{
- ASN1_OCTET_STRING *hash; /* Always SHA-1 digest. */
+ ASN1_OCTET_STRING *hash;
ESS_ISSUER_SERIAL *issuer_serial;
} ESS_CERT_ID;
diff --git a/crypto/ts/ts_rsp_sign.c b/crypto/ts/ts_rsp_sign.c
index b0f023c..5458a7c 100755
--- a/crypto/ts/ts_rsp_sign.c
+++ b/crypto/ts/ts_rsp_sign.c
@@ -854,12 +854,12 @@ static ESS_CERT_ID *ESS_CERT_ID_new_init(X509 *cert, int
issuer_needed)
ESS_CERT_ID *cid = NULL;
GENERAL_NAME *name = NULL;
- /* Recompute SHA1 hash of certificate if necessary (side effect). */
+ /* Recompute hash of certificate if necessary (side effect). */
X509_check_purpose(cert, -1, 0);
if (!(cid = ESS_CERT_ID_new())) goto err;
- if (!ASN1_OCTET_STRING_set(cid->hash, cert->sha1_hash,
- sizeof(cert->sha1_hash)))
+ if (!ASN1_OCTET_STRING_set(cid->hash, cert->cmp_hash,
+ sizeof(cert->cmp_hash)))
goto err;
/* Setting the issuer/serial if requested. */
diff --git a/crypto/ts/ts_rsp_verify.c b/crypto/ts/ts_rsp_verify.c
index afe16af..ec36666 100755
--- a/crypto/ts/ts_rsp_verify.c
+++ b/crypto/ts/ts_rsp_verify.c
@@ -311,7 +311,7 @@ static int TS_find_cert(STACK_OF(ESS_CERT_ID) *cert_ids,
X509 *cert)
if (!cert_ids || !cert) return -1;
- /* Recompute SHA1 hash of certificate if necessary (side effect). */
+ /* Recompute hash of certificate if necessary (side effect). */
X509_check_purpose(cert, -1, 0);
/* Look for cert in the cert_ids vector. */
@@ -319,10 +319,10 @@ static int TS_find_cert(STACK_OF(ESS_CERT_ID) *cert_ids,
X509 *cert)
{
ESS_CERT_ID *cid = sk_ESS_CERT_ID_value(cert_ids, i);
- /* Check the SHA-1 hash first. */
- if (cid->hash->length == sizeof(cert->sha1_hash)
- && !memcmp(cid->hash->data, cert->sha1_hash,
- sizeof(cert->sha1_hash)))
+ /* Check the hash first. */
+ if (cid->hash->length == sizeof(cert->cmp_hash)
+ && !memcmp(cid->hash->data, cert->cmp_hash,
+ sizeof(cert->cmp_hash)))
{
/* Check the issuer/serial as well if specified. */
ESS_ISSUER_SERIAL *is = cid->issuer_serial;
The details of this company are as follows:
G4S Technology Limited, Registered Office: Challenge House, International
Drive, Tewkesbury, Gloucestershire GL20 8UQ, Registered in England No. 2382338.
This communication may contain information which is confidential, personal
and/or privileged.
It is for the exclusive use of the intended recipient(s).
If you are not the intended recipient(s), please note that any distribution,
forwarding, copying or use of this communication or the information in it is
strictly prohibited.
Any personal views expressed in this e-mail are those of the individual sender
and the company does not endorse or accept responsibility for them.
Prior to taking any action based upon this e-mail message, you should seek
appropriate confirmation of its authenticity.
This e-mail has been scanned for all viruses by MessageLabs.
______________________________________________________________________
OpenSSL Project http://www.openssl.org
Development Mailing List [email protected]
Automated List Manager [email protected]
