openssl: backward compatibility after x509 hash function change

There are many symbolic links under /etc/ssl/certs created by using hash of
the pem certificates in order for OpenSSL to find those certificate.
Openssl has a tool to help you create hash symbolic links. (See tools/c_rehash)
However the new openssl changed the hash algorithm, Unless you compile/install
the latest openssl library and re-create all related symbolic links, the new
openssl can not find some certificates because the links of those certificates
were created by using old hash algorithm, which causes some tests failed.

This patch gives a way to find a certificate according to its hash by using both
new algorithm and old algorithm.

crbug.com/111045 is used to track this issue.

This patch is taken from the Chromium project.

1 files changed, 8 insertions, 0 deletions

diff --git a/deps/openssl/openssl/crypto/x509/by_dir.c b/deps/openssl/openssl/crypto/x509/by_dir.c
index 27ca5150c1..03293ac2dc 100644
--- a/deps/openssl/openssl/crypto/x509/by_dir.c
+++ b/deps/openssl/openssl/crypto/x509/by_dir.c
@@ -287,6 +287,8 @@ static int get_cert_by_subject(X509_LOOKUP *xl, int type, X509_NAME *name,
 	int ok=0;
 	int i,j,k;
 	unsigned long h;
+	unsigned long hash_array[2];
+	int hash_index;
 	BUF_MEM *b=NULL;
 	X509_OBJECT stmp,*tmp;
 	const char *postfix="";
@@ -323,6 +325,11 @@ static int get_cert_by_subject(X509_LOOKUP *xl, int type, X509_NAME *name,
 	ctx=(BY_DIR *)xl->method_data;
 
 	h=X509_NAME_hash(name);
+	hash_array[0]=h;
+	hash_array[1]=X509_NAME_hash_old(name);
+	for (hash_index=0; hash_index < 2; hash_index++)
+		{
+		h=hash_array[hash_index];
 	for (i=0; i < sk_BY_DIR_ENTRY_num(ctx->dirs); i++)
 		{
 		BY_DIR_ENTRY *ent;
@@ -476,6 +483,7 @@ static int get_cert_by_subject(X509_LOOKUP *xl, int type, X509_NAME *name,
 			goto finish;
 			}
 		}
+		}
 finish:
 	if (b != NULL) BUF_MEM_free(b);
 	return(ok);