Use SHA256 as hash algorithm for the certificate and key file names

... instead of MD5.

The known MD5 vulnerabilities shoulnd't matter for Privoxy's use case
but it doesn't hurt to use a hash algorithm that isn't deprecated.

Sponsored by: Robert Klemme

diff --git a/openssl.c b/openssl.c
index 97cfc2b..d647543 100644 (file)
--- a/openssl.c
+++ b/openssl.c
@@ -36,7 +36,7 @@
 #include <openssl/bn.h>
 #include <openssl/opensslv.h>
 #include <openssl/pem.h>
-#include <openssl/md5.h>
+#include <openssl/sha.h>
 #include <openssl/x509v3.h>
 #ifdef _WIN32
 /* https://www.openssl.org/docs/faq.html
@@ -706,8 +706,8 @@ exit:
  *
  * Function    :  host_to_hash
  *
- * Description :  Creates MD5 hash from host name. Host name is loaded
- *                from structure csp and saved again into it.
+ * Description :  Creates a sha256 hash from host name. The host name
+ *                is taken from the csp structure and stored into it.
  *
  * Parameters  :
  *          1  :  csp = Current client state (buffers, headers, etc...)
@@ -719,14 +719,13 @@ exit:
 static int host_to_hash(struct client_state *csp)
 {
    int ret = 0;
+   size_t i;
 
-   memset(csp->http->hash_of_host, 0, sizeof(csp->http->hash_of_host));
-   MD5((unsigned char *)csp->http->host, strlen(csp->http->host),
+   SHA256((unsigned char *)csp->http->host, strlen(csp->http->host),
       csp->http->hash_of_host);
 
    /* Converting hash into string with hex */
-   size_t i = 0;
-   for (; i < 16; i++)
+   for (i = 0; i < HASH_OF_HOST_BUF_SIZE; i++)
    {
       if ((ret = sprintf((char *)csp->http->hash_of_host_hex + 2 * i, "%02x",
          csp->http->hash_of_host[i])) < 0)

diff --git a/project.h b/project.h
index 6aaefd7..0a1740a 100644 (file)
--- a/project.h
+++ b/project.h
@@ -50,7 +50,7 @@
 */
 #define CERT_INFO_BUF_SIZE         4096
 #define ISSUER_NAME_BUF_SIZE       2048
-#define HASH_OF_HOST_BUF_SIZE      16
+#define HASH_OF_HOST_BUF_SIZE      32
 #endif /* FEATURE_HTTPS_INSPECTION */
 
 #ifdef FEATURE_HTTPS_INSPECTION_MBEDTLS

diff --git a/ssl.c b/ssl.c
index 0df7333..0496354 100644 (file)
--- a/ssl.c
+++ b/ssl.c
@@ -38,7 +38,7 @@
 #  include MBEDTLS_CONFIG_FILE
 #endif
 
-#include "mbedtls/md5.h"
+#include "mbedtls/sha256.h"
 #include "mbedtls/pem.h"
 #include "mbedtls/base64.h"
 #include "mbedtls/error.h"
@@ -1787,8 +1787,8 @@ static int ssl_verify_callback(void *csp_void, mbedtls_x509_crt *crt,
  *
  * Function    :  host_to_hash
  *
- * Description :  Creates MD5 hash from host name. Host name is loaded
- *                from structure csp and saved again into it.
+ * Description :  Creates a sha256 hash from host name. The host name
+ *                is taken from the csp structure and stored into it.
  *
  * Parameters  :
  *          1  :  csp = Current client state (buffers, headers, etc...)
@@ -1799,25 +1799,14 @@ static int ssl_verify_callback(void *csp_void, mbedtls_x509_crt *crt,
  *********************************************************************/
 static int host_to_hash(struct client_state *csp)
 {
-   int ret = 0;
+   int ret;
+   size_t i;
 
-#if !defined(MBEDTLS_MD5_C)
-#error mbedTLS needs to be compiled with md5 support
-#else
-   memset(csp->http->hash_of_host, 0, sizeof(csp->http->hash_of_host));
-   ret = mbedtls_md5_ret((unsigned char *)csp->http->host,
-      strlen(csp->http->host), csp->http->hash_of_host);
-   if (ret != 0)
-   {
-      log_error(LOG_LEVEL_ERROR,
-         "Failed to generate md5 hash of host %s: %d",
-         csp->http->host, ret);
-      return -1;
-   }
+   mbedtls_sha256((unsigned char *)csp->http->host,
+      strlen(csp->http->host), csp->http->hash_of_host, 0);
 
    /* Converting hash into string with hex */
-   size_t i = 0;
-   for (; i < 16; i++)
+   for (i = 0; i < HASH_OF_HOST_BUF_SIZE; i++)
    {
       if ((ret = sprintf((char *)csp->http->hash_of_host_hex + 2 * i, "%02x",
          csp->http->hash_of_host[i])) < 0)
@@ -1828,7 +1817,7 @@ static int host_to_hash(struct client_state *csp)
    }
 
    return 0;
-#endif /* MBEDTLS_MD5_C */
+
 }
 
 /*********************************************************************

diff --git a/wolfssl.c b/wolfssl.c
index 7c93444..717be05 100644 (file)
--- a/wolfssl.c
+++ b/wolfssl.c
@@ -724,8 +724,8 @@ exit:
  *
  * Function    :  host_to_hash
  *
- * Description :  Creates MD5 hash from host name. Host name is loaded
- *                from structure csp and saved again into it.
+ * Description :  Creates a sha256 hash from host name. The host name
+ *                is taken from the csp structure and stored into it.
  *
  * Parameters  :
  *          1  :  csp = Current client state (buffers, headers, etc...)
@@ -736,33 +736,18 @@ exit:
  *********************************************************************/
 static int host_to_hash(struct client_state *csp)
 {
-   wc_Md5 md5;
    int ret;
    size_t i;
 
-   ret = wc_InitMd5(&md5);
+   ret = wc_Sha256Hash((const byte *)csp->http->host,
+      (word32)strlen(csp->http->host), (byte *)csp->http->hash_of_host);
    if (ret != 0)
    {
-      return -1;
+        return -1;
    }
 
-   ret = wc_Md5Update(&md5, (const byte *)csp->http->host,
-      (word32)strlen(csp->http->host));
-   if (ret != 0)
-   {
-      return -1;
-   }
-
-   ret = wc_Md5Final(&md5, csp->http->hash_of_host);
-   if (ret != 0)
-   {
-      return -1;
-   }
-
-   wc_Md5Free(&md5);
-
    /* Converting hash into string with hex */
-   for (i = 0; i < 16; i++)
+   for (i = 0; i < HASH_OF_HOST_BUF_SIZE; i++)
    {
       ret = snprintf((char *)csp->http->hash_of_host_hex + 2 * i,
          sizeof(csp->http->hash_of_host_hex) - 2 * i,
@@ -775,6 +760,7 @@ static int host_to_hash(struct client_state *csp)
    }
 
    return 0;
+
 }