Replace internal use sha1 hash with sha256.

Change-Id: Ifdb2fe5952930c33dfa9ea5bbdb9d1ce699952a4 Reviewed-on: https://boringssl-review.googlesource.com/c/boringssl/+/52027 Reviewed-by: David Benjamin <davidben@google.com> Reviewed-by: Adam Langley <agl@google.com> Commit-Queue: David Benjamin <davidben@google.com>
3 years ago · 753435403e
parent 8bbefbfeee
commit 753435403e
4 changed files with 7 additions and 7 deletions
--- a/crypto/x509/internal.h
+++ b/crypto/x509/internal.h
@ -156,7 +156,7 @@ struct x509_st {
  STACK_OF(DIST_POINT) *crldp;
  STACK_OF(GENERAL_NAME) *altname;
  NAME_CONSTRAINTS *nc;
-  unsigned char sha1_hash[SHA_DIGEST_LENGTH];
+  unsigned char cert_hash[SHA256_DIGEST_LENGTH];
  X509_CERT_AUX *aux;
  CRYPTO_BUFFER *buf;
  CRYPTO_MUTEX lock;
@ -219,7 +219,7 @@ struct X509_crl_st {
  // CRL and base CRL numbers for delta processing
  ASN1_INTEGER *crl_number;
  ASN1_INTEGER *base_crl_number;
-  unsigned char sha1_hash[SHA_DIGEST_LENGTH];
+  unsigned char crl_hash[SHA256_DIGEST_LENGTH];
  STACK_OF(GENERAL_NAMES) *issuers;
  const X509_CRL_METHOD *meth;
  void *meth_data;
--- a/crypto/x509/x509_cmp.c
+++ b/crypto/x509/x509_cmp.c
@ -101,7 +101,7 @@ int X509_CRL_cmp(const X509_CRL *a, const X509_CRL *b)

 int X509_CRL_match(const X509_CRL *a, const X509_CRL *b)
 {
-    return OPENSSL_memcmp(a->sha1_hash, b->sha1_hash, 20);
+    return OPENSSL_memcmp(a->crl_hash, b->crl_hash, SHA256_DIGEST_LENGTH);
 }

 X509_NAME *X509_get_issuer_name(const X509 *a)
@ -154,7 +154,7 @@ unsigned long X509_subject_name_hash_old(X509 *x)
 */
 int X509_cmp(const X509 *a, const X509 *b)
 {
-    /* Fill in the |sha1_hash| fields.
+    /* Fill in the |cert_hash| fields.
     *
     * TODO(davidben): This may fail, in which case the the hash will be all
     * zeros. This produces a consistent comparison (failures are sticky), but
@ -165,7 +165,7 @@ int X509_cmp(const X509 *a, const X509 *b)
    x509v3_cache_extensions((X509 *)a);
    x509v3_cache_extensions((X509 *)b);

-    int rv = OPENSSL_memcmp(a->sha1_hash, b->sha1_hash, SHA_DIGEST_LENGTH);
+    int rv = OPENSSL_memcmp(a->cert_hash, b->cert_hash, SHA256_DIGEST_LENGTH);
    if (rv)
        return rv;
    /* Check for match against stored encoding too */
--- a/crypto/x509/x_crl.c
+++ b/crypto/x509/x_crl.c
@ -251,7 +251,7 @@ static int crl_cb(int operation, ASN1_VALUE **pval, const ASN1_ITEM *it,
        break;

    case ASN1_OP_D2I_POST:
-        if (!X509_CRL_digest(crl, EVP_sha1(), crl->sha1_hash, NULL)) {
+        if (!X509_CRL_digest(crl, EVP_sha256(), crl->crl_hash, NULL)) {
            return 0;
        }

--- a/crypto/x509v3/v3_purp.c
+++ b/crypto/x509v3/v3_purp.c
@ -437,7 +437,7 @@ int x509v3_cache_extensions(X509 *x)
        return (x->ex_flags & EXFLAG_INVALID) == 0;
    }

-    if (!X509_digest(x, EVP_sha1(), x->sha1_hash, NULL))
+    if (!X509_digest(x, EVP_sha256(), x->cert_hash, NULL))
        x->ex_flags |= EXFLAG_INVALID;
    /* V1 should mean no extensions ... */
    if (X509_get_version(x) == X509_VERSION_1)