ssl.c: refactor wolfSSL_LH_strhash() to use SHA1 instead of MD5, to eliminate dependency on deprecated alg.

2021-08-27 17:16:06 -05:00 · 2021-08-27 17:16:06 -05:00 · f1c1f76851
parent ddda108de6
commit f1c1f76851
2 changed files with 31 additions and 10 deletions
--- a/src/ssl.c
+++ b/src/ssl.c
@ -56161,36 +56161,55 @@ static int wolfssl_conf_value_cmp(const WOLFSSL_CONF_VALUE *a,
    }
 }

-/* Use MD5 for hashing as OpenSSL uses a hash algorithm that is
- * "not as good as MD5, but still good" so using MD5 should
- * be good enough for this application. The produced hashes don't
+/* Use SHA for hashing as OpenSSL uses a hash algorithm that is
+ * "not as good as MD5, but still good" so using SHA should be more
+ * than good enough for this application. The produced hashes don't
 * need to line up between OpenSSL and wolfSSL. The hashes are for
 * internal indexing only */
 unsigned long wolfSSL_LH_strhash(const char *str)
 {
    unsigned long ret = 0;
-#ifndef NO_MD5
+#ifndef NO_SHA
+    wc_Sha sha;
    int strLen;
-    byte digest[WC_MD5_DIGEST_SIZE];
+    byte digest[WC_SHA_DIGEST_SIZE];
 #endif
    WOLFSSL_ENTER("wolfSSL_LH_strhash");

    if (!str)
        return 0;

-#ifndef NO_MD5
+#ifndef NO_SHA
    strLen = (int)XSTRLEN(str);
-    if (wc_Md5Hash((const byte*)str, strLen, digest) != 0) {
-        WOLFSSL_MSG("wc_Md5Hash error");
+
+    if (wc_InitSha_ex(&sha, NULL, 0) != 0) {
+        WOLFSSL_MSG("SHA1 Init failed");
        return 0;
    }
+
+    ret = 0;
+    do {
+        if (wc_ShaUpdate(&sha, (const byte *)str, (word32)strLen) != 0) {
+            WOLFSSL_MSG("SHA1 Update failed");
+            break;
+        }
+        if (wc_ShaFinal(&sha, digest) != 0) {
+            WOLFSSL_MSG("SHA1 Final failed");
+            break;
+        }
+        ret = 1;
+    } while (0);
+    wc_ShaFree(&sha);
+    if (ret == 0)
+        return 0;
+
    /* Take first 4 bytes in small endian as unsigned long */
    ret  =  (unsigned int)digest[0];
    ret |= ((unsigned int)digest[1] << 8 );
    ret |= ((unsigned int)digest[2] << 16);
    ret |= ((unsigned int)digest[3] << 24);
 #else
-    WOLFSSL_MSG("No md5 available for wolfSSL_LH_strhash");
+    WOLFSSL_MSG("No SHA available for wolfSSL_LH_strhash");
 #endif
    return ret;
 }
--- a/tests/api.c
+++ b/tests/api.c
@ -29505,7 +29505,7 @@ static void test_wolfSSL_lhash(void)

    printf(testingFmt, "wolfSSL_LH_strhash()");

-    AssertIntEQ(lh_strhash(testStr), 0xb1231320);
+    AssertIntEQ(lh_strhash(testStr), 0x5b7541dc);

    printf(resultFmt, passed);
 #endif
@ -42923,7 +42923,9 @@ static void test_wolfSSL_EVP_get_digestbynid(void)

    printf(testingFmt, "wolfSSL_EVP_get_digestbynid");

+#ifndef NO_MD5
    AssertNotNull(wolfSSL_EVP_get_digestbynid(NID_md5));
+#endif
    AssertNotNull(wolfSSL_EVP_get_digestbynid(NID_sha1));
    AssertNull(wolfSSL_EVP_get_digestbynid(0));