Google Git
Sign in
chromium / chromiumos / third_party / openssl / refs/heads/firmware-falco_peppy-4389.B^! / .
commit1c7606ce1b8c853047f1718b8201ac4af488c279[log] [tgz]
authorElly Fong-Jones <ellyjones@chromium.org>Wed Sep 12 20:57:17 2012
committerGerrit <chrome-bot@google.com>Fri Sep 14 14:38:09 2012
tree3c54d51cd31fbd357c6a08a37e4281836018d2a9
parent33fb8d5bcbb6e3ceda8a1f6e57108f7ca2bea144 [diff]
[openssl] add blacklist-by-sha1 support

BUG=chromium-os:26806
TEST=unit

Change-Id: I8736bf9509240c7da5cafd0eaaf750c49adacbd2
Signed-off-by: Elly Fong-Jones <ellyjones@chromium.org>
Reviewed-on: https://gerrit.chromium.org/gerrit/33124
Reviewed-by: Will Drewry <wad@chromium.org>

diff --git a/crypto/x509/x509_vfy.c b/crypto/x509/x509_vfy.c
index ac8dcbc..483c62d 100644
--- a/crypto/x509/x509_vfy.c
+++ b/crypto/x509/x509_vfy.c

@@ -196,9 +196,11 @@
 	static const int MAX_BLACKLIST_LINE = 1024;
 
 	unsigned char md[EVP_MAX_MD_SIZE];
-	char hexmd[EVP_MAX_MD_SIZE * 2 + 1];
+	char hexsha256[EVP_MAX_MD_SIZE * 2 + 1];
+	char hexsha1[EVP_MAX_MD_SIZE * 2 + 1];
 	char hexserial[MAX_SERIAL * 2 + 1];
-	const EVP_MD *hash = EVP_sha256();
+	const EVP_MD *sha256 = EVP_sha256();
+	const EVP_MD *sha1 = EVP_sha1();
 	unsigned int n;
 	char line[MAX_BLACKLIST_LINE];
 	BIO *file;
@@ -214,9 +216,12 @@
 	if (!file)
 		return 0;
 
-	if (!X509_digest(x, hash, md, &n))
+	if (!X509_digest(x, sha256, md, &n))
 		goto out;
-	hexify(md, hexmd, n);
+	hexify(md, hexsha256, n);
+	if (!X509_digest(x, sha1, md, &n))
+		goto out;
+	hexify(md, hexsha1, n);
 	serial = X509_get_serialNumber(x);
 	serial_len = serial->length;
 	if (serial_len > sizeof(hexserial) / 2)
@@ -232,7 +237,11 @@
 			continue;
 		if (strchr(arg, '\n'))
 			*strchr(arg, '\n') = '\0';
-		if (!strcmp(cmd, "sha256") && !strcmp(arg, hexmd)) {
+		if (!strcmp(cmd, "sha256") && !strcmp(arg, hexsha256)) {
+			ret = 1;
+			goto out;
+		}
+		if (!strcmp(cmd, "sha1") && !strcmp(arg, hexsha1)) {
 			ret = 1;
 			goto out;
 		}

diff --git a/test/tblacklist b/test/tblacklist
index 42e4451..3ff1468 100644
--- a/test/tblacklist
+++ b/test/tblacklist

@@ -49,6 +49,7 @@
 
 # These are from 'openssl x509 -in google.pem -text -fingerprint -sha256'
 google_sha256='f641c36cfef49bc071359ecf88eed9317b738b5989416ad401720c0a4e2e6352'
+google_sha1='405062e5befde4af97e9382af16cc87c8fb7c4e2'
 google_serial='2fdfbcf6ae91526d0f9aa3df40343e9a'
 blacklist=/etc/ssl/blacklist
 
@@ -68,6 +69,8 @@
 verify serial && die "verified with blacklisted serial"
 echo "sha256 $google_sha256" > "$blacklist"
 verify sha256 && die "verified with blacklisted sha256"
+echo "sha1 $google_sha1" > "$blacklist"
+verify sha1 && die "verified with blacklisted sha1"
 cp "$td/old-blacklist" "$blacklist"
 rm -rf "$td"
 exit 0