Google Git
Sign in
flutter / third_party / openssl / c2c99e2860566044b23a5b3fded6f70b7436b9ad^! / .
commitc2c99e2860566044b23a5b3fded6f70b7436b9ad[log] [tgz]
authorDr. Stephen Henson <steve@openssl.org>Thu Jan 15 13:22:39 2009 +0000
committerDr. Stephen Henson <steve@openssl.org>Thu Jan 15 13:22:39 2009 +0000
treef80b3b69bdec325976f6e6ae8c067afc2cc0ab35
parent8125d9f99ceb3fcd81fdd191e85a73b27063383a [diff]
Update certificate hash line format to handle canonical format
and avoid MD5 dependency.

diff --git a/CHANGES b/CHANGES
index 66e812c..ea5162d 100644
--- a/CHANGES
+++ b/CHANGES

@@ -4,6 +4,13 @@
 
  Changes between 0.9.8j and 0.9.9  [xx XXX xxxx]
 
+  *) Enhance the hash format used for certificate directory links. The new
+     form uses the canonical encoding (meaning equivalent names will work
+     even if they aren't identical) and uses SHA1 instead of MD5. This form
+     is incompatible with the older format and as a result c_rehash should
+     be used to rebuild symbolic links.
+     [Steve Henson]
+
   *) Make PKCS#8 the default write format for private keys, replacing the
      traditional format. This form is standardised, more secure and doesn't
      include an implicit MD5 dependency.

diff --git a/crypto/x509/x509.h b/crypto/x509/x509.h
index 62e01b1..e779c33 100644
--- a/crypto/x509/x509.h
+++ b/crypto/x509/x509.h

@@ -963,6 +963,7 @@
 int		X509_cmp(const X509 *a, const X509 *b);
 int		X509_NAME_cmp(const X509_NAME *a, const X509_NAME *b);
 unsigned long	X509_NAME_hash(X509_NAME *x);
+unsigned long	X509_NAME_hash_old(X509_NAME *x);
 
 int		X509_CRL_cmp(const X509_CRL *a, const X509_CRL *b);
 int		X509_CRL_match(const X509_CRL *a, const X509_CRL *b);

diff --git a/crypto/x509/x509_cmp.c b/crypto/x509/x509_cmp.c
index 180dedc..ee234b0 100644
--- a/crypto/x509/x509_cmp.c
+++ b/crypto/x509/x509_cmp.c

@@ -198,11 +198,27 @@
 
 	}
 
+unsigned long X509_NAME_hash(X509_NAME *x)
+	{
+	unsigned long ret=0;
+	unsigned char md[16];
+
+	/* Make sure X509_NAME structure contains valid cached encoding */
+	i2d_X509_NAME(x,NULL);
+	EVP_Digest(x->canon_enc, x->canon_enclen, md, NULL, EVP_sha1(), NULL);
+
+	ret=(	((unsigned long)md[0]     )|((unsigned long)md[1]<<8L)|
+		((unsigned long)md[2]<<16L)|((unsigned long)md[3]<<24L)
+		)&0xffffffffL;
+	return(ret);
+	}
+
 
 #ifndef OPENSSL_NO_MD5
 /* I now DER encode the name and hash it.  Since I cache the DER encoding,
  * this is reasonably efficient. */
-unsigned long X509_NAME_hash(X509_NAME *x)
+
+unsigned long X509_NAME_hash_old(X509_NAME *x)
 	{
 	unsigned long ret=0;
 	unsigned char md[16];