Avoid structure access in crypto/ts
authorDr. Stephen Henson <steve@openssl.org>
Tue, 22 Sep 2015 17:37:57 +0000 (18:37 +0100)
committerDr. Stephen Henson <steve@openssl.org>
Tue, 22 Sep 2015 20:15:55 +0000 (21:15 +0100)
Reviewed-by: Rich Salz <rsalz@openssl.org>
crypto/ts/ts_rsp_sign.c
crypto/ts/ts_rsp_verify.c

index 3694239..dd6591d 100644 (file)
@@ -784,12 +784,13 @@ static ESS_CERT_ID *ess_CERT_ID_new_init(X509 *cert, int issuer_needed)
 {
     ESS_CERT_ID *cid = NULL;
     GENERAL_NAME *name = NULL;
+    unsigned char cert_sha1[SHA_DIGEST_LENGTH];
 
     X509_check_purpose(cert, -1, 0);
     if ((cid = ESS_CERT_ID_new()) == NULL)
         goto err;
-    if (!ASN1_OCTET_STRING_set(cid->hash, cert->sha1_hash,
-                               sizeof(cert->sha1_hash)))
+    X509_digest(cert, EVP_sha1(), cert_sha1, NULL);
+    if (!ASN1_OCTET_STRING_set(cid->hash, cert_sha1, SHA_DIGEST_LENGTH))
         goto err;
 
     /* Setting the issuer/serial if requested. */
index 1133b5d..84c9b31 100644 (file)
@@ -289,10 +289,13 @@ static ESS_SIGNING_CERT *ess_get_signing_cert(PKCS7_SIGNER_INFO *si)
 static int ts_find_cert(STACK_OF(ESS_CERT_ID) *cert_ids, X509 *cert)
 {
     int i;
+    unsigned char cert_sha1[SHA_DIGEST_LENGTH];
 
     if (!cert_ids || !cert)
         return -1;
 
+    X509_digest(cert, EVP_sha1(), cert_sha1, NULL);
+
     /* Recompute SHA1 hash of certificate if necessary (side effect). */
     X509_check_purpose(cert, -1, 0);
 
@@ -300,9 +303,8 @@ static int ts_find_cert(STACK_OF(ESS_CERT_ID) *cert_ids, X509 *cert)
     for (i = 0; i < sk_ESS_CERT_ID_num(cert_ids); ++i) {
         ESS_CERT_ID *cid = sk_ESS_CERT_ID_value(cert_ids, i);
 
-        if (cid->hash->length == sizeof(cert->sha1_hash)
-            && memcmp(cid->hash->data, cert->sha1_hash,
-                       sizeof(cert->sha1_hash)) == 0) {
+        if (cid->hash->length == SHA_DIGEST_LENGTH
+            && memcmp(cid->hash->data, cert_sha1, SHA_DIGEST_LENGTH) == 0) {
             ESS_ISSUER_SERIAL *is = cid->issuer_serial;
             if (!is || !ts_issuer_serial_cmp(is, cert))
                 return i;