commit 15302de8952945988c12df44382417494a37c484
author Bob Beck <bbe@google.com> Mon Apr 25 16:34:55 2022 -0600
committer Boringssl LUCI CQ <boringssl-scoped@luci-project-accounts.iam.gserviceaccount.com> Tue Apr 26 15:18:56 2022 +0000
tree 21805409bf749d5a5b45ee5592644b0bab3e33bc
parent 553e81e47359e56c98ef7fd3c4c5e6d94253cc4a

Remove code added to avoid SHA1 weakness.

We no longer use a weak hash for certificate comparisons. There
is no need to do extra work when certificates are the same.

Change-Id: I3b4b295122b289ae389bce2245b8348562700855
Reviewed-on: https://boringssl-review.googlesource.com/c/boringssl/+/52346
Reviewed-by: Adam Langley <agl@google.com>
Commit-Queue: Adam Langley <agl@google.com>

crypto/x509/x509_cmp.c

diff --git a/crypto/x509/x509_cmp.c b/crypto/x509/x509_cmp.c
index e9e1d8c..80590e2 100644
--- a/crypto/x509/x509_cmp.c
+++ b/crypto/x509/x509_cmp.c
@@ -165,18 +165,7 @@
     x509v3_cache_extensions((X509 *)a);
     x509v3_cache_extensions((X509 *)b);
 
-    int rv = OPENSSL_memcmp(a->cert_hash, b->cert_hash, SHA256_DIGEST_LENGTH);
-    if (rv)
-        return rv;
-    /* Check for match against stored encoding too */
-    if (!a->cert_info->enc.modified && !b->cert_info->enc.modified) {
-        rv = (int)(a->cert_info->enc.len - b->cert_info->enc.len);
-        if (rv)
-            return rv;
-        return OPENSSL_memcmp(a->cert_info->enc.enc, b->cert_info->enc.enc,
-                              a->cert_info->enc.len);
-    }
-    return rv;
+    return OPENSSL_memcmp(a->cert_hash, b->cert_hash, SHA256_DIGEST_LENGTH);
 }
 
 int X509_NAME_cmp(const X509_NAME *a, const X509_NAME *b)