From bf973d0697e61a44dc46d08b0421a08a8cb61887 Mon Sep 17 00:00:00 2001
From: "Dr. David von Oheimb" <David.von.Oheimb@siemens.com>
Date: Mon, 28 Dec 2020 11:27:31 +0100
Subject: Add X509_NAME_hash_ex() to be able to check if it failed due to
 unsupported SHA1

Deprecate X509_NAME_hash()
Document X509_NAME_hash_ex(), X509_NAME_hash(), X509_{subject,issuer}_name_hash()

Reviewed-by: Tomas Mraz <tmraz@fedoraproject.org>
(Merged from https://github.com/openssl/openssl/pull/13762)
---
 apps/crl.c    | 17 ++++++++++++++---
 apps/rehash.c | 19 ++++++++++++++++---
 2 files changed, 30 insertions(+), 6 deletions(-)

(limited to 'apps')

diff --git a/apps/crl.c b/apps/crl.c
index 0daded01e3..58d63e71d5 100644
--- a/apps/crl.c
+++ b/apps/crl.c
@@ -287,22 +287,33 @@ int crl_main(int argc, char **argv)
             }
             if (crlnumber == i) {
                 ASN1_INTEGER *crlnum;
+
                 crlnum = X509_CRL_get_ext_d2i(x, NID_crl_number, NULL, NULL);
                 BIO_printf(bio_out, "crlNumber=");
                 if (crlnum) {
                     BIO_puts(bio_out, "0x");
                     i2a_ASN1_INTEGER(bio_out, crlnum);
                     ASN1_INTEGER_free(crlnum);
-                } else
+                } else {
                     BIO_puts(bio_out, "<NONE>");
+                }
                 BIO_printf(bio_out, "\n");
             }
             if (hash == i) {
-                BIO_printf(bio_out, "%08lx\n",
-                           X509_NAME_hash(X509_CRL_get_issuer(x)));
+                int ok;
+                unsigned long hash_value =
+                    X509_NAME_hash_ex(X509_CRL_get_issuer(x), app_get0_libctx(),
+                                      app_get0_propq(), &ok);
+
+                BIO_printf(bio_out, "issuer name hash=");
+                if (ok)
+                    BIO_printf(bio_out, "%08lx\n", hash_value);
+                else
+                    BIO_puts(bio_out, "<ERROR>");
             }
 #ifndef OPENSSL_NO_MD5
             if (hash_old == i) {
+                BIO_printf(bio_out, "issuer name old hash=");
                 BIO_printf(bio_out, "%08lx\n",
                            X509_NAME_hash_old(X509_CRL_get_issuer(x)));
             }
diff --git a/apps/rehash.c b/apps/rehash.c
index 2b867d43cc..29dc76bc38 100644
--- a/apps/rehash.c
+++ b/apps/rehash.c
@@ -291,10 +291,23 @@ static int do_file(const char *filename, const char *fullpath, enum Hash h)
         goto end;
     }
     if (name != NULL) {
-        if ((h == HASH_NEW) || (h == HASH_BOTH))
-            errs += add_entry(type, X509_NAME_hash(name), filename, digest, 1, ~0);
+        if (h == HASH_NEW || h == HASH_BOTH) {
+            int ok;
+            unsigned long hash_value =
+                X509_NAME_hash_ex(name,
+                                  app_get0_libctx(), app_get0_propq(), &ok);
+
+            if (ok) {
+                errs += add_entry(type, hash_value, filename, digest, 1, ~0);
+            } else {
+                BIO_printf(bio_err, "%s: error calculating SHA1 hash value\n",
+                           opt_getprog());
+                errs++;
+            }
+        }
         if ((h == HASH_OLD) || (h == HASH_BOTH))
-            errs += add_entry(type, X509_NAME_hash_old(name), filename, digest, 1, ~0);
+            errs += add_entry(type, X509_NAME_hash_old(name),
+                              filename, digest, 1, ~0);
     }
 
 end:
-- 
cgit v1.2.3