From 057f48120967ec6ff7cfa60031d2b568727e8fef Mon Sep 17 00:00:00 2001
From: beck <beck@openbsd.org>
Date: Thu, 24 Feb 2022 22:05:06 +0000
Subject: [PATCH] Get rid of SHA1 for comparing CRL's - use SHA512 just like we
 do for certs. ok tb@

---
 lib/libcrypto/asn1/x_crl.c    | 6 ++----
 lib/libcrypto/x509/x509_cmp.c | 4 ++--
 lib/libcrypto/x509/x509_lcl.h | 6 +++---
 3 files changed, 7 insertions(+), 9 deletions(-)

diff --git a/lib/libcrypto/asn1/x_crl.c b/lib/libcrypto/asn1/x_crl.c
index 8cea9e0b7b5..35d9007f7ce 100644
--- a/lib/libcrypto/asn1/x_crl.c
+++ b/lib/libcrypto/asn1/x_crl.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: x_crl.c,v 1.36 2021/12/03 17:07:53 jsing Exp $ */
+/* $OpenBSD: x_crl.c,v 1.37 2022/02/24 22:05:06 beck Exp $ */
 /* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
  * All rights reserved.
  *
@@ -288,9 +288,7 @@ crl_cb(int operation, ASN1_VALUE **pval, const ASN1_ITEM *it, void *exarg)
 		break;
 
 	case ASN1_OP_D2I_POST:
-#ifndef OPENSSL_NO_SHA
-		X509_CRL_digest(crl, EVP_sha1(), crl->sha1_hash, NULL);
-#endif
+		X509_CRL_digest(crl, X509_CRL_HASH_EVP, crl->hash, NULL);
 		crl->idp = X509_CRL_get_ext_d2i(crl,
 		    NID_issuing_distribution_point, NULL, NULL);
 		if (crl->idp)
diff --git a/lib/libcrypto/x509/x509_cmp.c b/lib/libcrypto/x509/x509_cmp.c
index e60ee25de1a..4fd8d78fc3d 100644
--- a/lib/libcrypto/x509/x509_cmp.c
+++ b/lib/libcrypto/x509/x509_cmp.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: x509_cmp.c,v 1.38 2021/12/12 21:30:14 tb Exp $ */
+/* $OpenBSD: x509_cmp.c,v 1.39 2022/02/24 22:05:06 beck Exp $ */
 /* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
  * All rights reserved.
  *
@@ -143,7 +143,7 @@ X509_CRL_cmp(const X509_CRL *a, const X509_CRL *b)
 int
 X509_CRL_match(const X509_CRL *a, const X509_CRL *b)
 {
-	return memcmp(a->sha1_hash, b->sha1_hash, 20);
+	return memcmp(a->hash, b->hash, X509_CRL_HASH_LEN);
 }
 #endif
 
diff --git a/lib/libcrypto/x509/x509_lcl.h b/lib/libcrypto/x509/x509_lcl.h
index 7854346b1f0..e7eb733f7d9 100644
--- a/lib/libcrypto/x509/x509_lcl.h
+++ b/lib/libcrypto/x509/x509_lcl.h
@@ -66,6 +66,8 @@ __BEGIN_HIDDEN_DECLS
 
 #define X509_CERT_HASH_EVP	EVP_sha512()
 #define X509_CERT_HASH_LEN	SHA512_DIGEST_LENGTH
+#define X509_CRL_HASH_EVP	EVP_sha512()
+#define X509_CRL_HASH_LEN	SHA512_DIGEST_LENGTH
 
 struct X509_pubkey_st {
 	X509_ALGOR *algor;
@@ -227,9 +229,7 @@ struct X509_crl_st {
 	/* CRL and base CRL numbers for delta processing */
 	ASN1_INTEGER *crl_number;
 	ASN1_INTEGER *base_crl_number;
-#ifndef OPENSSL_NO_SHA
-	unsigned char sha1_hash[SHA_DIGEST_LENGTH];
-#endif
+	unsigned char hash[X509_CRL_HASH_LEN];
 	STACK_OF(GENERAL_NAMES) *issuers;
 	const X509_CRL_METHOD *meth;
 	void *meth_data;
-- 
2.20.1