Cache sha512 hash and parsed not_before and not_after with X509 cert.

Replace sha1 hash use with sha512 for certificate comparisons internal to the library. use the cached sha512 for the validator's verification cache. Reduces our recomputation of hashes, and heavy use of time1 time conversion functions noticed bu claudio@ in rpki client. ok jsing@ tb@
author: beck <> 2021-11-04 23:52:34 +0000
committer: beck <> 2021-11-04 23:52:34 +0000
commit: 244374d8dda906a87c40f39a8ed949cf07a1c8f3 (patch)
tree: 3ca9bd91a3930e5f3e28873aa362dffdb8cf6227 /src/lib/libcrypto/ts
parent: b866948734d2d995d78efdc04fb93574782722fa (diff)
download: openbsd-244374d8dda906a87c40f39a8ed949cf07a1c8f3.tar.gz
openbsd-244374d8dda906a87c40f39a8ed949cf07a1c8f3.tar.bz2
openbsd-244374d8dda906a87c40f39a8ed949cf07a1c8f3.zip
2 files changed, 14 insertions, 7 deletions
diff --git a/src/lib/libcrypto/ts/ts_rsp_sign.c b/src/lib/libcrypto/ts/ts_rsp_sign.c
index 828407aa4b..cbd7039abe 100644
--- a/src/lib/libcrypto/ts/ts_rsp_sign.c
+++ b/src/lib/libcrypto/ts/ts_rsp_sign.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: ts_rsp_sign.c,v 1.24 2021/11/01 20:53:08 tb Exp $ */
+/* $OpenBSD: ts_rsp_sign.c,v 1.25 2021/11/04 23:52:34 beck Exp $ */
 /* Written by Zoltan Glozik (zglozik@stones.com) for the OpenSSL
 * project 2002.
 */
@@ -849,14 +849,18 @@ ESS_CERT_ID_new_init(X509 *cert, int issuer_needed)
 {
        ESS_CERT_ID *cid = NULL;
        GENERAL_NAME *name = NULL;
+        unsigned char cert_hash[TS_HASH_LEN];
        /* Recompute SHA1 hash of certificate if necessary (side effect). */
        X509_check_purpose(cert, -1, 0);
        if (!(cid = ESS_CERT_ID_new()))
                goto err;
-        if (!ASN1_OCTET_STRING_set(cid->hash, cert->sha1_hash,
-            sizeof(cert->sha1_hash)))
+        if (!X509_digest(cert, TS_HASH_EVP, cert_hash, NULL))
+                goto err;
+        if (!ASN1_OCTET_STRING_set(cid->hash, cert_hash, sizeof(cert_hash)))
                goto err;
        /* Setting the issuer/serial if requested. */
diff --git a/src/lib/libcrypto/ts/ts_rsp_verify.c b/src/lib/libcrypto/ts/ts_rsp_verify.c
index 2e72ff47ae..07578945cb 100644
--- a/src/lib/libcrypto/ts/ts_rsp_verify.c
+++ b/src/lib/libcrypto/ts/ts_rsp_verify.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: ts_rsp_verify.c,v 1.22 2021/11/01 20:53:08 tb Exp $ */
+/* $OpenBSD: ts_rsp_verify.c,v 1.23 2021/11/04 23:52:34 beck Exp $ */
 /* Written by Zoltan Glozik (zglozik@stones.com) for the OpenSSL
 * project 2002.
 */
@@ -325,10 +325,14 @@ static int
 TS_find_cert(STACK_OF(ESS_CERT_ID) *cert_ids, X509 *cert)
 {
        int i;
+        unsigned char cert_hash[TS_HASH_LEN];
        if (!cert_ids || !cert)
                return -1;
+        if (!X509_digest(cert, TS_HASH_EVP, cert_hash, NULL))
+                return -1;
        /* Recompute SHA1 hash of certificate if necessary (side effect). */
        X509_check_purpose(cert, -1, 0);
@@ -337,9 +341,8 @@ TS_find_cert(STACK_OF(ESS_CERT_ID) *cert_ids, X509 *cert)
                ESS_CERT_ID *cid = sk_ESS_CERT_ID_value(cert_ids, i);
                /* Check the SHA-1 hash first. */
-                if (cid->hash->length == sizeof(cert->sha1_hash) &&
+                if (cid->hash->length == TS_HASH_LEN && !memcmp(cid->hash->data,
-                    !memcmp(cid->hash->data, cert->sha1_hash,
+                    cert_hash, TS_HASH_LEN)) {
-                        sizeof(cert->sha1_hash))) {
                        /* Check the issuer/serial as well if specified. */
                        ESS_ISSUER_SERIAL *is = cid->issuer_serial;
                        if (!is || !TS_issuer_serial_cmp(is, cert->cert_info))
author	beck <>	2021-11-04 23:52:34 +0000
committer	beck <>	2021-11-04 23:52:34 +0000
commit	244374d8dda906a87c40f39a8ed949cf07a1c8f3 (patch)
tree	3ca9bd91a3930e5f3e28873aa362dffdb8cf6227 /src/lib/libcrypto/ts
parent	b866948734d2d995d78efdc04fb93574782722fa (diff)
download	openbsd-244374d8dda906a87c40f39a8ed949cf07a1c8f3.tar.gz openbsd-244374d8dda906a87c40f39a8ed949cf07a1c8f3.tar.bz2 openbsd-244374d8dda906a87c40f39a8ed949cf07a1c8f3.zip

diff --git a/src/lib/libcrypto/ts/ts_rsp_sign.c b/src/lib/libcrypto/ts/ts_rsp_sign.c index 828407aa4b..cbd7039abe 100644 --- a/src/lib/libcrypto/ts/ts_rsp_sign.c +++ b/src/lib/libcrypto/ts/ts_rsp_sign.c
@@ -1,4 +1,4 @@
1	/* $OpenBSD: ts_rsp_sign.c,v 1.24 2021/11/01 20:53:08 tb Exp $ */	1	/* $OpenBSD: ts_rsp_sign.c,v 1.25 2021/11/04 23:52:34 beck Exp $ */
2	/* Written by Zoltan Glozik (zglozik@stones.com) for the OpenSSL	2	/* Written by Zoltan Glozik (zglozik@stones.com) for the OpenSSL
3	* project 2002.	3	* project 2002.
4	*/	4	*/
@@ -849,14 +849,18 @@ ESS_CERT_ID_new_init(X509 *cert, int issuer_needed)
849	{	849	{
850	ESS_CERT_ID *cid = NULL;	850	ESS_CERT_ID *cid = NULL;
851	GENERAL_NAME *name = NULL;	851	GENERAL_NAME *name = NULL;
		852	unsigned char cert_hash[TS_HASH_LEN];
852		853
853	/* Recompute SHA1 hash of certificate if necessary (side effect). */	854	/* Recompute SHA1 hash of certificate if necessary (side effect). */
854	X509_check_purpose(cert, -1, 0);	855	X509_check_purpose(cert, -1, 0);
855		856
856	if (!(cid = ESS_CERT_ID_new()))	857	if (!(cid = ESS_CERT_ID_new()))
857	goto err;	858	goto err;
858	if (!ASN1_OCTET_STRING_set(cid->hash, cert->sha1_hash,	859
859	sizeof(cert->sha1_hash)))	860	if (!X509_digest(cert, TS_HASH_EVP, cert_hash, NULL))
		861	goto err;
		862
		863	if (!ASN1_OCTET_STRING_set(cid->hash, cert_hash, sizeof(cert_hash)))
860	goto err;	864	goto err;
861		865
862	/* Setting the issuer/serial if requested. */	866	/* Setting the issuer/serial if requested. */


diff --git a/src/lib/libcrypto/ts/ts_rsp_verify.c b/src/lib/libcrypto/ts/ts_rsp_verify.c index 2e72ff47ae..07578945cb 100644 --- a/src/lib/libcrypto/ts/ts_rsp_verify.c +++ b/src/lib/libcrypto/ts/ts_rsp_verify.c
@@ -1,4 +1,4 @@
1	/* $OpenBSD: ts_rsp_verify.c,v 1.22 2021/11/01 20:53:08 tb Exp $ */	1	/* $OpenBSD: ts_rsp_verify.c,v 1.23 2021/11/04 23:52:34 beck Exp $ */
2	/* Written by Zoltan Glozik (zglozik@stones.com) for the OpenSSL	2	/* Written by Zoltan Glozik (zglozik@stones.com) for the OpenSSL
3	* project 2002.	3	* project 2002.
4	*/	4	*/
@@ -325,10 +325,14 @@ static int
325	TS_find_cert(STACK_OF(ESS_CERT_ID) cert_ids, X509 cert)	325	TS_find_cert(STACK_OF(ESS_CERT_ID) cert_ids, X509 cert)
326	{	326	{
327	int i;	327	int i;
		328	unsigned char cert_hash[TS_HASH_LEN];
328		329
329	if (!cert_ids \|\| !cert)	330	if (!cert_ids \|\| !cert)
330	return -1;	331	return -1;
331		332
		333	if (!X509_digest(cert, TS_HASH_EVP, cert_hash, NULL))
		334	return -1;
		335
332	/* Recompute SHA1 hash of certificate if necessary (side effect). */	336	/* Recompute SHA1 hash of certificate if necessary (side effect). */
333	X509_check_purpose(cert, -1, 0);	337	X509_check_purpose(cert, -1, 0);
334		338
@@ -337,9 +341,8 @@ TS_find_cert(STACK_OF(ESS_CERT_ID) cert_ids, X509 cert)
337	ESS_CERT_ID *cid = sk_ESS_CERT_ID_value(cert_ids, i);	341	ESS_CERT_ID *cid = sk_ESS_CERT_ID_value(cert_ids, i);
338		342
339	/* Check the SHA-1 hash first. */	343	/* Check the SHA-1 hash first. */
340	if (cid->hash->length == sizeof(cert->sha1_hash) &&	344	if (cid->hash->length == TS_HASH_LEN && !memcmp(cid->hash->data,
341	!memcmp(cid->hash->data, cert->sha1_hash,	345	cert_hash, TS_HASH_LEN)) {
342	sizeof(cert->sha1_hash))) {
343	/* Check the issuer/serial as well if specified. */	346	/* Check the issuer/serial as well if specified. */
344	ESS_ISSUER_SERIAL *is = cid->issuer_serial;	347	ESS_ISSUER_SERIAL *is = cid->issuer_serial;
345	if (!is \|\| !TS_issuer_serial_cmp(is, cert->cert_info))	348	if (!is \|\| !TS_issuer_serial_cmp(is, cert->cert_info))