From de5c7f0b99056f22483141bcdfd727809ea02ae1 Mon Sep 17 00:00:00 2001 From: tb Date: Wed, 28 Aug 2024 06:27:19 +0000 Subject: [PATCH] Add a comment to OCSP_id_issuer_cmp() to make blind use of X509_ALGOR_cmp() less likely. ok jsing --- lib/libcrypto/ocsp/ocsp_lib.c | 7 ++++++- 1 file changed, 6 insertions(+), 1 deletion(-) diff --git a/lib/libcrypto/ocsp/ocsp_lib.c b/lib/libcrypto/ocsp/ocsp_lib.c index 216af18fcd3..521fb67aed2 100644 --- a/lib/libcrypto/ocsp/ocsp_lib.c +++ b/lib/libcrypto/ocsp/ocsp_lib.c @@ -1,4 +1,4 @@ -/* $OpenBSD: ocsp_lib.c,v 1.27 2024/08/28 06:26:06 tb Exp $ */ +/* $OpenBSD: ocsp_lib.c,v 1.28 2024/08/28 06:27:19 tb Exp $ */ /* Written by Tom Titchener for the OpenSSL * project. */ @@ -157,6 +157,11 @@ OCSP_id_issuer_cmp(OCSP_CERTID *a, OCSP_CERTID *b) { int ret; + /* + * XXX - should we really ignore parameters here? We probably need to + * consider omitted parameters and explicit ASN.1 NULL as equal for + * the SHAs, so don't blindly switch to X509_ALGOR_cmp(). + */ ret = OBJ_cmp(a->hashAlgorithm->algorithm, b->hashAlgorithm->algorithm); if (ret) return ret; -- 2.20.1