2 files changed, 14 insertions, 7 deletions
diff --git a/src/lib/libcrypto/ts/ts_rsp_sign.c b/src/lib/libcrypto/ts/ts_rsp_sign.c
index 828407aa4b..cbd7039abe 100644
--- a/src/lib/libcrypto/ts/ts_rsp_sign.c
+++ b/src/lib/libcrypto/ts/ts_rsp_sign.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: ts_rsp_sign.c,v 1.24 2021/11/01 20:53:08 tb Exp $ */
+/* $OpenBSD: ts_rsp_sign.c,v 1.25 2021/11/04 23:52:34 beck Exp $ */
 /* Written by Zoltan Glozik (zglozik@stones.com) for the OpenSSL
 * project 2002.
 */
@@ -849,14 +849,18 @@ ESS_CERT_ID_new_init(X509 *cert, int issuer_needed)
 {
        ESS_CERT_ID *cid = NULL;
        GENERAL_NAME *name = NULL;
+        unsigned char cert_hash[TS_HASH_LEN];
        /* Recompute SHA1 hash of certificate if necessary (side effect). */
        X509_check_purpose(cert, -1, 0);
        if (!(cid = ESS_CERT_ID_new()))
                goto err;
-        if (!ASN1_OCTET_STRING_set(cid->hash, cert->sha1_hash,
-            sizeof(cert->sha1_hash)))
+        if (!X509_digest(cert, TS_HASH_EVP, cert_hash, NULL))
+                goto err;
+        if (!ASN1_OCTET_STRING_set(cid->hash, cert_hash, sizeof(cert_hash)))
                goto err;
        /* Setting the issuer/serial if requested. */
diff --git a/src/lib/libcrypto/ts/ts_rsp_verify.c b/src/lib/libcrypto/ts/ts_rsp_verify.c
index 2e72ff47ae..07578945cb 100644
--- a/src/lib/libcrypto/ts/ts_rsp_verify.c
+++ b/src/lib/libcrypto/ts/ts_rsp_verify.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: ts_rsp_verify.c,v 1.22 2021/11/01 20:53:08 tb Exp $ */
+/* $OpenBSD: ts_rsp_verify.c,v 1.23 2021/11/04 23:52:34 beck Exp $ */
 /* Written by Zoltan Glozik (zglozik@stones.com) for the OpenSSL
 * project 2002.
 */
@@ -325,10 +325,14 @@ static int
 TS_find_cert(STACK_OF(ESS_CERT_ID) *cert_ids, X509 *cert)
 {
        int i;
+        unsigned char cert_hash[TS_HASH_LEN];
        if (!cert_ids || !cert)
                return -1;
+        if (!X509_digest(cert, TS_HASH_EVP, cert_hash, NULL))
+                return -1;
        /* Recompute SHA1 hash of certificate if necessary (side effect). */
        X509_check_purpose(cert, -1, 0);
@@ -337,9 +341,8 @@ TS_find_cert(STACK_OF(ESS_CERT_ID) *cert_ids, X509 *cert)
                ESS_CERT_ID *cid = sk_ESS_CERT_ID_value(cert_ids, i);
                /* Check the SHA-1 hash first. */
-                if (cid->hash->length == sizeof(cert->sha1_hash) &&
+                if (cid->hash->length == TS_HASH_LEN && !memcmp(cid->hash->data,
-                    !memcmp(cid->hash->data, cert->sha1_hash,
+                    cert_hash, TS_HASH_LEN)) {
-                        sizeof(cert->sha1_hash))) {
                        /* Check the issuer/serial as well if specified. */
                        ESS_ISSUER_SERIAL *is = cid->issuer_serial;
                        if (!is || !TS_issuer_serial_cmp(is, cert->cert_info))

diff --git a/src/lib/libcrypto/ts/ts_rsp_sign.c b/src/lib/libcrypto/ts/ts_rsp_sign.c index 828407aa4b..cbd7039abe 100644 --- a/src/lib/libcrypto/ts/ts_rsp_sign.c +++ b/src/lib/libcrypto/ts/ts_rsp_sign.c
@@ -1,4 +1,4 @@
1	/* $OpenBSD: ts_rsp_sign.c,v 1.24 2021/11/01 20:53:08 tb Exp $ */	1	/* $OpenBSD: ts_rsp_sign.c,v 1.25 2021/11/04 23:52:34 beck Exp $ */
2	/* Written by Zoltan Glozik (zglozik@stones.com) for the OpenSSL	2	/* Written by Zoltan Glozik (zglozik@stones.com) for the OpenSSL
3	* project 2002.	3	* project 2002.
4	*/	4	*/
@@ -849,14 +849,18 @@ ESS_CERT_ID_new_init(X509 *cert, int issuer_needed)
849	{	849	{
850	ESS_CERT_ID *cid = NULL;	850	ESS_CERT_ID *cid = NULL;
851	GENERAL_NAME *name = NULL;	851	GENERAL_NAME *name = NULL;
		852	unsigned char cert_hash[TS_HASH_LEN];
852		853
853	/* Recompute SHA1 hash of certificate if necessary (side effect). */	854	/* Recompute SHA1 hash of certificate if necessary (side effect). */
854	X509_check_purpose(cert, -1, 0);	855	X509_check_purpose(cert, -1, 0);
855		856
856	if (!(cid = ESS_CERT_ID_new()))	857	if (!(cid = ESS_CERT_ID_new()))
857	goto err;	858	goto err;
858	if (!ASN1_OCTET_STRING_set(cid->hash, cert->sha1_hash,	859
859	sizeof(cert->sha1_hash)))	860	if (!X509_digest(cert, TS_HASH_EVP, cert_hash, NULL))
		861	goto err;
		862
		863	if (!ASN1_OCTET_STRING_set(cid->hash, cert_hash, sizeof(cert_hash)))
860	goto err;	864	goto err;
861		865
862	/* Setting the issuer/serial if requested. */	866	/* Setting the issuer/serial if requested. */


diff --git a/src/lib/libcrypto/ts/ts_rsp_verify.c b/src/lib/libcrypto/ts/ts_rsp_verify.c index 2e72ff47ae..07578945cb 100644 --- a/src/lib/libcrypto/ts/ts_rsp_verify.c +++ b/src/lib/libcrypto/ts/ts_rsp_verify.c
@@ -1,4 +1,4 @@
1	/* $OpenBSD: ts_rsp_verify.c,v 1.22 2021/11/01 20:53:08 tb Exp $ */	1	/* $OpenBSD: ts_rsp_verify.c,v 1.23 2021/11/04 23:52:34 beck Exp $ */
2	/* Written by Zoltan Glozik (zglozik@stones.com) for the OpenSSL	2	/* Written by Zoltan Glozik (zglozik@stones.com) for the OpenSSL
3	* project 2002.	3	* project 2002.
4	*/	4	*/
@@ -325,10 +325,14 @@ static int
325	TS_find_cert(STACK_OF(ESS_CERT_ID) cert_ids, X509 cert)	325	TS_find_cert(STACK_OF(ESS_CERT_ID) cert_ids, X509 cert)
326	{	326	{
327	int i;	327	int i;
		328	unsigned char cert_hash[TS_HASH_LEN];
328		329
329	if (!cert_ids \|\| !cert)	330	if (!cert_ids \|\| !cert)
330	return -1;	331	return -1;
331		332
		333	if (!X509_digest(cert, TS_HASH_EVP, cert_hash, NULL))
		334	return -1;
		335
332	/* Recompute SHA1 hash of certificate if necessary (side effect). */	336	/* Recompute SHA1 hash of certificate if necessary (side effect). */
333	X509_check_purpose(cert, -1, 0);	337	X509_check_purpose(cert, -1, 0);
334		338
@@ -337,9 +341,8 @@ TS_find_cert(STACK_OF(ESS_CERT_ID) cert_ids, X509 cert)
337	ESS_CERT_ID *cid = sk_ESS_CERT_ID_value(cert_ids, i);	341	ESS_CERT_ID *cid = sk_ESS_CERT_ID_value(cert_ids, i);
338		342
339	/* Check the SHA-1 hash first. */	343	/* Check the SHA-1 hash first. */
340	if (cid->hash->length == sizeof(cert->sha1_hash) &&	344	if (cid->hash->length == TS_HASH_LEN && !memcmp(cid->hash->data,
341	!memcmp(cid->hash->data, cert->sha1_hash,	345	cert_hash, TS_HASH_LEN)) {
342	sizeof(cert->sha1_hash))) {
343	/* Check the issuer/serial as well if specified. */	346	/* Check the issuer/serial as well if specified. */
344	ESS_ISSUER_SERIAL *is = cid->issuer_serial;	347	ESS_ISSUER_SERIAL *is = cid->issuer_serial;
345	if (!is \|\| !TS_issuer_serial_cmp(is, cert->cert_info))	348	if (!is \|\| !TS_issuer_serial_cmp(is, cert->cert_info))