From 753435403e3e6275b993719890687e7df06b7f63 Mon Sep 17 00:00:00 2001 From: Bob Beck Date: Mon, 21 Mar 2022 13:34:32 -0600 Subject: [PATCH] Replace internal use sha1 hash with sha256. Change-Id: Ifdb2fe5952930c33dfa9ea5bbdb9d1ce699952a4 Reviewed-on: https://boringssl-review.googlesource.com/c/boringssl/+/52027 Reviewed-by: David Benjamin Reviewed-by: Adam Langley Commit-Queue: David Benjamin --- crypto/x509/internal.h | 4 ++-- crypto/x509/x509_cmp.c | 6 +++--- crypto/x509/x_crl.c | 2 +- crypto/x509v3/v3_purp.c | 2 +- 4 files changed, 7 insertions(+), 7 deletions(-) diff --git a/crypto/x509/internal.h b/crypto/x509/internal.h index 99319c8dd..ff8288fd7 100644 --- a/crypto/x509/internal.h +++ b/crypto/x509/internal.h @@ -156,7 +156,7 @@ struct x509_st { STACK_OF(DIST_POINT) *crldp; STACK_OF(GENERAL_NAME) *altname; NAME_CONSTRAINTS *nc; - unsigned char sha1_hash[SHA_DIGEST_LENGTH]; + unsigned char cert_hash[SHA256_DIGEST_LENGTH]; X509_CERT_AUX *aux; CRYPTO_BUFFER *buf; CRYPTO_MUTEX lock; @@ -219,7 +219,7 @@ struct X509_crl_st { // CRL and base CRL numbers for delta processing ASN1_INTEGER *crl_number; ASN1_INTEGER *base_crl_number; - unsigned char sha1_hash[SHA_DIGEST_LENGTH]; + unsigned char crl_hash[SHA256_DIGEST_LENGTH]; STACK_OF(GENERAL_NAMES) *issuers; const X509_CRL_METHOD *meth; void *meth_data; diff --git a/crypto/x509/x509_cmp.c b/crypto/x509/x509_cmp.c index 5811f4402..e9e1d8cd1 100644 --- a/crypto/x509/x509_cmp.c +++ b/crypto/x509/x509_cmp.c @@ -101,7 +101,7 @@ int X509_CRL_cmp(const X509_CRL *a, const X509_CRL *b) int X509_CRL_match(const X509_CRL *a, const X509_CRL *b) { - return OPENSSL_memcmp(a->sha1_hash, b->sha1_hash, 20); + return OPENSSL_memcmp(a->crl_hash, b->crl_hash, SHA256_DIGEST_LENGTH); } X509_NAME *X509_get_issuer_name(const X509 *a) @@ -154,7 +154,7 @@ unsigned long X509_subject_name_hash_old(X509 *x) */ int X509_cmp(const X509 *a, const X509 *b) { - /* Fill in the |sha1_hash| fields. + /* Fill in the |cert_hash| fields. * * TODO(davidben): This may fail, in which case the the hash will be all * zeros. This produces a consistent comparison (failures are sticky), but @@ -165,7 +165,7 @@ int X509_cmp(const X509 *a, const X509 *b) x509v3_cache_extensions((X509 *)a); x509v3_cache_extensions((X509 *)b); - int rv = OPENSSL_memcmp(a->sha1_hash, b->sha1_hash, SHA_DIGEST_LENGTH); + int rv = OPENSSL_memcmp(a->cert_hash, b->cert_hash, SHA256_DIGEST_LENGTH); if (rv) return rv; /* Check for match against stored encoding too */ diff --git a/crypto/x509/x_crl.c b/crypto/x509/x_crl.c index f010849b2..ab2a0393e 100644 --- a/crypto/x509/x_crl.c +++ b/crypto/x509/x_crl.c @@ -251,7 +251,7 @@ static int crl_cb(int operation, ASN1_VALUE **pval, const ASN1_ITEM *it, break; case ASN1_OP_D2I_POST: - if (!X509_CRL_digest(crl, EVP_sha1(), crl->sha1_hash, NULL)) { + if (!X509_CRL_digest(crl, EVP_sha256(), crl->crl_hash, NULL)) { return 0; } diff --git a/crypto/x509v3/v3_purp.c b/crypto/x509v3/v3_purp.c index 133839adc..909a8dbf3 100644 --- a/crypto/x509v3/v3_purp.c +++ b/crypto/x509v3/v3_purp.c @@ -437,7 +437,7 @@ int x509v3_cache_extensions(X509 *x) return (x->ex_flags & EXFLAG_INVALID) == 0; } - if (!X509_digest(x, EVP_sha1(), x->sha1_hash, NULL)) + if (!X509_digest(x, EVP_sha256(), x->cert_hash, NULL)) x->ex_flags |= EXFLAG_INVALID; /* V1 should mean no extensions ... */ if (X509_get_version(x) == X509_VERSION_1)