Prefer fetch over legacy get_digestby/get_cipherby

[openssl.git] / crypto / ocsp / ocsp_vfy.c

diff --git a/crypto/ocsp/ocsp_vfy.c b/crypto/ocsp/ocsp_vfy.c
index 02af58437c09306e23342b1847c6f6a94def25e5..4231c3f2b288fb3740ab017be3d4bf767d8d64d4 100644 (file)
--- a/crypto/ocsp/ocsp_vfy.c
+++ b/crypto/ocsp/ocsp_vfy.c
@@ -7,10 +7,11 @@
  * https://www.openssl.org/source/license.html
  */
 
+#include <string.h>
 #include <openssl/ocsp.h>
-#include "ocsp_local.h"
 #include <openssl/err.h>
-#include <string.h>
+#include "internal/sizes.h"
+#include "ocsp_local.h"
 
 static int ocsp_find_signer(X509 **psigner, OCSP_BASICRESP *bs,
                             STACK_OF(X509) *certs, unsigned long flags);
@@ -302,42 +303,56 @@ static int ocsp_check_ids(STACK_OF(OCSP_SINGLERESP) *sresp, OCSP_CERTID **ret)
 static int ocsp_match_issuerid(X509 *cert, OCSP_CERTID *cid,
                                STACK_OF(OCSP_SINGLERESP) *sresp)
 {
+    int ret = -1;
+    EVP_MD *dgst = NULL;
+
     /* If only one ID to match then do it */
     if (cid != NULL) {
-        const EVP_MD *dgst = EVP_get_digestbyobj(cid->hashAlgorithm.algorithm);
+        char name[OSSL_MAX_NAME_SIZE];
         const X509_NAME *iname;
         int mdlen;
         unsigned char md[EVP_MAX_MD_SIZE];
 
+        OBJ_obj2txt(name, sizeof(name), cid->hashAlgorithm.algorithm, 0);
+
+        (void)ERR_set_mark();
+        dgst = EVP_MD_fetch(NULL, name, NULL);
+        if (dgst == NULL)
+            dgst = (EVP_MD *)EVP_get_digestbyname(name);
+
         if (dgst == NULL) {
+            (void)ERR_clear_last_mark();
             ERR_raise(ERR_LIB_OCSP, OCSP_R_UNKNOWN_MESSAGE_DIGEST);
-            return -1;
+            goto end;
         }
+        (void)ERR_pop_to_mark();
 
         mdlen = EVP_MD_size(dgst);
         if (mdlen < 0) {
             ERR_raise(ERR_LIB_OCSP, OCSP_R_DIGEST_SIZE_ERR);
-            return -1;
+            goto end;
         }
         if (cid->issuerNameHash.length != mdlen ||
-            cid->issuerKeyHash.length != mdlen)
-            return 0;
+            cid->issuerKeyHash.length != mdlen) {
+            ret = 0;
+            goto end;
+        }
         iname = X509_get_subject_name(cert);
-        if (!X509_NAME_digest(iname, dgst, md, NULL)) {
-            ERR_raise(ERR_LIB_OCSP, OCSP_R_DIGEST_NAME_ERR);
-            return -1;
+        if (!X509_NAME_digest(iname, dgst, md, NULL))
+            goto end;
+        if (memcmp(md, cid->issuerNameHash.data, mdlen) != 0) {
+            ret = 0;
+            goto end;
         }
-        if (memcmp(md, cid->issuerNameHash.data, mdlen) != 0)
-            return 0;
         if (!X509_pubkey_digest(cert, dgst, md, NULL)) {
             ERR_raise(ERR_LIB_OCSP, OCSP_R_DIGEST_ERR);
-            return -1;
+            goto end;
         }
-        if (memcmp(md, cid->issuerKeyHash.data, mdlen) != 0)
-            return 0;
+        ret = memcmp(md, cid->issuerKeyHash.data, mdlen) == 0;
+        goto end;
     } else {
         /* We have to match the whole lot */
-        int i, ret;
+        int i;
         OCSP_CERTID *tmpid;
 
         for (i = 0; i < sk_OCSP_SINGLERESP_num(sresp); i++) {
@@ -348,6 +363,9 @@ static int ocsp_match_issuerid(X509 *cert, OCSP_CERTID *cid,
         }
     }
     return 1;
+end:
+    EVP_MD_free(dgst);
+    return ret;
 }
 
 static int ocsp_check_delegated(X509 *x)