[Privoxy-commits] [privoxy] 02/03: Use SHA256 as hash algorithm for the certificate and key file names
User Git
git at git.privoxy.org
Thu Jul 11 10:07:46 CEST 2024
This is an automated email from the git hooks/post-receive script.
git pushed a commit to branch master
in repository privoxy.
commit a581c2616a10cdc819f01173514589b476ddd79d
Author: Fabian Keil <fk at fabiankeil.de>
AuthorDate: Wed Jun 26 15:23:25 2024 +0200
Use SHA256 as hash algorithm for the certificate and key file names
... instead of MD5.
The known MD5 vulnerabilities shoulnd't matter for Privoxy's use case
but it doesn't hurt to use a hash algorithm that isn't deprecated.
Sponsored by: Robert Klemme
---
openssl.c | 13 ++++++-------
project.h | 2 +-
ssl.c | 29 +++++++++--------------------
wolfssl.c | 28 +++++++---------------------
4 files changed, 23 insertions(+), 49 deletions(-)
diff --git a/openssl.c b/openssl.c
index 97cfc2b0..d647543b 100644
--- a/openssl.c
+++ b/openssl.c
@@ -36,7 +36,7 @@
#include <openssl/bn.h>
#include <openssl/opensslv.h>
#include <openssl/pem.h>
-#include <openssl/md5.h>
+#include <openssl/sha.h>
#include <openssl/x509v3.h>
#ifdef _WIN32
/* https://www.openssl.org/docs/faq.html
@@ -706,8 +706,8 @@ exit:
*
* Function : host_to_hash
*
- * Description : Creates MD5 hash from host name. Host name is loaded
- * from structure csp and saved again into it.
+ * Description : Creates a sha256 hash from host name. The host name
+ * is taken from the csp structure and stored into it.
*
* Parameters :
* 1 : csp = Current client state (buffers, headers, etc...)
@@ -719,14 +719,13 @@ exit:
static int host_to_hash(struct client_state *csp)
{
int ret = 0;
+ size_t i;
- memset(csp->http->hash_of_host, 0, sizeof(csp->http->hash_of_host));
- MD5((unsigned char *)csp->http->host, strlen(csp->http->host),
+ SHA256((unsigned char *)csp->http->host, strlen(csp->http->host),
csp->http->hash_of_host);
/* Converting hash into string with hex */
- size_t i = 0;
- for (; i < 16; i++)
+ for (i = 0; i < HASH_OF_HOST_BUF_SIZE; i++)
{
if ((ret = sprintf((char *)csp->http->hash_of_host_hex + 2 * i, "%02x",
csp->http->hash_of_host[i])) < 0)
diff --git a/project.h b/project.h
index 6aaefd74..0a1740a7 100644
--- a/project.h
+++ b/project.h
@@ -50,7 +50,7 @@
*/
#define CERT_INFO_BUF_SIZE 4096
#define ISSUER_NAME_BUF_SIZE 2048
-#define HASH_OF_HOST_BUF_SIZE 16
+#define HASH_OF_HOST_BUF_SIZE 32
#endif /* FEATURE_HTTPS_INSPECTION */
#ifdef FEATURE_HTTPS_INSPECTION_MBEDTLS
diff --git a/ssl.c b/ssl.c
index 0df73334..04963541 100644
--- a/ssl.c
+++ b/ssl.c
@@ -38,7 +38,7 @@
# include MBEDTLS_CONFIG_FILE
#endif
-#include "mbedtls/md5.h"
+#include "mbedtls/sha256.h"
#include "mbedtls/pem.h"
#include "mbedtls/base64.h"
#include "mbedtls/error.h"
@@ -1787,8 +1787,8 @@ static int ssl_verify_callback(void *csp_void, mbedtls_x509_crt *crt,
*
* Function : host_to_hash
*
- * Description : Creates MD5 hash from host name. Host name is loaded
- * from structure csp and saved again into it.
+ * Description : Creates a sha256 hash from host name. The host name
+ * is taken from the csp structure and stored into it.
*
* Parameters :
* 1 : csp = Current client state (buffers, headers, etc...)
@@ -1799,25 +1799,14 @@ static int ssl_verify_callback(void *csp_void, mbedtls_x509_crt *crt,
*********************************************************************/
static int host_to_hash(struct client_state *csp)
{
- int ret = 0;
+ int ret;
+ size_t i;
-#if !defined(MBEDTLS_MD5_C)
-#error mbedTLS needs to be compiled with md5 support
-#else
- memset(csp->http->hash_of_host, 0, sizeof(csp->http->hash_of_host));
- ret = mbedtls_md5_ret((unsigned char *)csp->http->host,
- strlen(csp->http->host), csp->http->hash_of_host);
- if (ret != 0)
- {
- log_error(LOG_LEVEL_ERROR,
- "Failed to generate md5 hash of host %s: %d",
- csp->http->host, ret);
- return -1;
- }
+ mbedtls_sha256((unsigned char *)csp->http->host,
+ strlen(csp->http->host), csp->http->hash_of_host, 0);
/* Converting hash into string with hex */
- size_t i = 0;
- for (; i < 16; i++)
+ for (i = 0; i < HASH_OF_HOST_BUF_SIZE; i++)
{
if ((ret = sprintf((char *)csp->http->hash_of_host_hex + 2 * i, "%02x",
csp->http->hash_of_host[i])) < 0)
@@ -1828,7 +1817,7 @@ static int host_to_hash(struct client_state *csp)
}
return 0;
-#endif /* MBEDTLS_MD5_C */
+
}
/*********************************************************************
diff --git a/wolfssl.c b/wolfssl.c
index 7c934446..717be050 100644
--- a/wolfssl.c
+++ b/wolfssl.c
@@ -724,8 +724,8 @@ exit:
*
* Function : host_to_hash
*
- * Description : Creates MD5 hash from host name. Host name is loaded
- * from structure csp and saved again into it.
+ * Description : Creates a sha256 hash from host name. The host name
+ * is taken from the csp structure and stored into it.
*
* Parameters :
* 1 : csp = Current client state (buffers, headers, etc...)
@@ -736,33 +736,18 @@ exit:
*********************************************************************/
static int host_to_hash(struct client_state *csp)
{
- wc_Md5 md5;
int ret;
size_t i;
- ret = wc_InitMd5(&md5);
+ ret = wc_Sha256Hash((const byte *)csp->http->host,
+ (word32)strlen(csp->http->host), (byte *)csp->http->hash_of_host);
if (ret != 0)
{
- return -1;
+ return -1;
}
- ret = wc_Md5Update(&md5, (const byte *)csp->http->host,
- (word32)strlen(csp->http->host));
- if (ret != 0)
- {
- return -1;
- }
-
- ret = wc_Md5Final(&md5, csp->http->hash_of_host);
- if (ret != 0)
- {
- return -1;
- }
-
- wc_Md5Free(&md5);
-
/* Converting hash into string with hex */
- for (i = 0; i < 16; i++)
+ for (i = 0; i < HASH_OF_HOST_BUF_SIZE; i++)
{
ret = snprintf((char *)csp->http->hash_of_host_hex + 2 * i,
sizeof(csp->http->hash_of_host_hex) - 2 * i,
@@ -775,6 +760,7 @@ static int host_to_hash(struct client_state *csp)
}
return 0;
+
}
--
To stop receiving notification emails like this one, please contact
the administrator of this repository.
More information about the Privoxy-commits
mailing list