From 7e4188326b4e9c179835f6b3ee668b2a70eb0cfd Mon Sep 17 00:00:00 2001 From: "Dr. Stephen Henson" Date: Tue, 22 Sep 2015 18:37:57 +0100 Subject: [PATCH] Avoid structure access in crypto/ts Reviewed-by: Rich Salz --- crypto/ts/ts_rsp_sign.c | 5 +++-- crypto/ts/ts_rsp_verify.c | 8 +++++--- 2 files changed, 8 insertions(+), 5 deletions(-) diff --git a/crypto/ts/ts_rsp_sign.c b/crypto/ts/ts_rsp_sign.c index 369423902c..dd6591db13 100644 --- a/crypto/ts/ts_rsp_sign.c +++ b/crypto/ts/ts_rsp_sign.c @@ -784,12 +784,13 @@ static ESS_CERT_ID *ess_CERT_ID_new_init(X509 *cert, int issuer_needed) { ESS_CERT_ID *cid = NULL; GENERAL_NAME *name = NULL; + unsigned char cert_sha1[SHA_DIGEST_LENGTH]; X509_check_purpose(cert, -1, 0); if ((cid = ESS_CERT_ID_new()) == NULL) goto err; - if (!ASN1_OCTET_STRING_set(cid->hash, cert->sha1_hash, - sizeof(cert->sha1_hash))) + X509_digest(cert, EVP_sha1(), cert_sha1, NULL); + if (!ASN1_OCTET_STRING_set(cid->hash, cert_sha1, SHA_DIGEST_LENGTH)) goto err; /* Setting the issuer/serial if requested. */ diff --git a/crypto/ts/ts_rsp_verify.c b/crypto/ts/ts_rsp_verify.c index 1133b5d223..84c9b3135f 100644 --- a/crypto/ts/ts_rsp_verify.c +++ b/crypto/ts/ts_rsp_verify.c @@ -289,10 +289,13 @@ static ESS_SIGNING_CERT *ess_get_signing_cert(PKCS7_SIGNER_INFO *si) static int ts_find_cert(STACK_OF(ESS_CERT_ID) *cert_ids, X509 *cert) { int i; + unsigned char cert_sha1[SHA_DIGEST_LENGTH]; if (!cert_ids || !cert) return -1; + X509_digest(cert, EVP_sha1(), cert_sha1, NULL); + /* Recompute SHA1 hash of certificate if necessary (side effect). */ X509_check_purpose(cert, -1, 0); @@ -300,9 +303,8 @@ static int ts_find_cert(STACK_OF(ESS_CERT_ID) *cert_ids, X509 *cert) for (i = 0; i < sk_ESS_CERT_ID_num(cert_ids); ++i) { ESS_CERT_ID *cid = sk_ESS_CERT_ID_value(cert_ids, i); - if (cid->hash->length == sizeof(cert->sha1_hash) - && memcmp(cid->hash->data, cert->sha1_hash, - sizeof(cert->sha1_hash)) == 0) { + if (cid->hash->length == SHA_DIGEST_LENGTH + && memcmp(cid->hash->data, cert_sha1, SHA_DIGEST_LENGTH) == 0) { ESS_ISSUER_SERIAL *is = cid->issuer_serial; if (!is || !ts_issuer_serial_cmp(is, cert)) return i; -- 2.25.1