[openssl] add blacklist-by-sha1 support
BUG=chromium-os:26806
TEST=unit
Change-Id: I8736bf9509240c7da5cafd0eaaf750c49adacbd2
Signed-off-by: Elly Fong-Jones <ellyjones@chromium.org>
Reviewed-on: https://gerrit.chromium.org/gerrit/33124
Reviewed-by: Will Drewry <wad@chromium.org>
diff --git a/crypto/x509/x509_vfy.c b/crypto/x509/x509_vfy.c
index ac8dcbc..483c62d 100644
--- a/crypto/x509/x509_vfy.c
+++ b/crypto/x509/x509_vfy.c
@@ -196,9 +196,11 @@
static const int MAX_BLACKLIST_LINE = 1024;
unsigned char md[EVP_MAX_MD_SIZE];
- char hexmd[EVP_MAX_MD_SIZE * 2 + 1];
+ char hexsha256[EVP_MAX_MD_SIZE * 2 + 1];
+ char hexsha1[EVP_MAX_MD_SIZE * 2 + 1];
char hexserial[MAX_SERIAL * 2 + 1];
- const EVP_MD *hash = EVP_sha256();
+ const EVP_MD *sha256 = EVP_sha256();
+ const EVP_MD *sha1 = EVP_sha1();
unsigned int n;
char line[MAX_BLACKLIST_LINE];
BIO *file;
@@ -214,9 +216,12 @@
if (!file)
return 0;
- if (!X509_digest(x, hash, md, &n))
+ if (!X509_digest(x, sha256, md, &n))
goto out;
- hexify(md, hexmd, n);
+ hexify(md, hexsha256, n);
+ if (!X509_digest(x, sha1, md, &n))
+ goto out;
+ hexify(md, hexsha1, n);
serial = X509_get_serialNumber(x);
serial_len = serial->length;
if (serial_len > sizeof(hexserial) / 2)
@@ -232,7 +237,11 @@
continue;
if (strchr(arg, '\n'))
*strchr(arg, '\n') = '\0';
- if (!strcmp(cmd, "sha256") && !strcmp(arg, hexmd)) {
+ if (!strcmp(cmd, "sha256") && !strcmp(arg, hexsha256)) {
+ ret = 1;
+ goto out;
+ }
+ if (!strcmp(cmd, "sha1") && !strcmp(arg, hexsha1)) {
ret = 1;
goto out;
}
diff --git a/test/tblacklist b/test/tblacklist
index 42e4451..3ff1468 100644
--- a/test/tblacklist
+++ b/test/tblacklist
@@ -49,6 +49,7 @@
# These are from 'openssl x509 -in google.pem -text -fingerprint -sha256'
google_sha256='f641c36cfef49bc071359ecf88eed9317b738b5989416ad401720c0a4e2e6352'
+google_sha1='405062e5befde4af97e9382af16cc87c8fb7c4e2'
google_serial='2fdfbcf6ae91526d0f9aa3df40343e9a'
blacklist=/etc/ssl/blacklist
@@ -68,6 +69,8 @@
verify serial && die "verified with blacklisted serial"
echo "sha256 $google_sha256" > "$blacklist"
verify sha256 && die "verified with blacklisted sha256"
+echo "sha1 $google_sha1" > "$blacklist"
+verify sha1 && die "verified with blacklisted sha1"
cp "$td/old-blacklist" "$blacklist"
rm -rf "$td"
exit 0