From a581c2616a10cdc819f01173514589b476ddd79d Mon Sep 17 00:00:00 2001 From: Fabian Keil Date: Wed, 26 Jun 2024 15:23:25 +0200 Subject: [PATCH] Use SHA256 as hash algorithm for the certificate and key file names ... instead of MD5. The known MD5 vulnerabilities shoulnd't matter for Privoxy's use case but it doesn't hurt to use a hash algorithm that isn't deprecated. Sponsored by: Robert Klemme --- openssl.c | 13 ++++++------- project.h | 2 +- ssl.c | 29 +++++++++-------------------- wolfssl.c | 28 +++++++--------------------- 4 files changed, 23 insertions(+), 49 deletions(-) diff --git a/openssl.c b/openssl.c index 97cfc2b0..d647543b 100644 --- a/openssl.c +++ b/openssl.c @@ -36,7 +36,7 @@ #include #include #include -#include +#include #include #ifdef _WIN32 /* https://www.openssl.org/docs/faq.html @@ -706,8 +706,8 @@ exit: * * Function : host_to_hash * - * Description : Creates MD5 hash from host name. Host name is loaded - * from structure csp and saved again into it. + * Description : Creates a sha256 hash from host name. The host name + * is taken from the csp structure and stored into it. * * Parameters : * 1 : csp = Current client state (buffers, headers, etc...) @@ -719,14 +719,13 @@ exit: static int host_to_hash(struct client_state *csp) { int ret = 0; + size_t i; - memset(csp->http->hash_of_host, 0, sizeof(csp->http->hash_of_host)); - MD5((unsigned char *)csp->http->host, strlen(csp->http->host), + SHA256((unsigned char *)csp->http->host, strlen(csp->http->host), csp->http->hash_of_host); /* Converting hash into string with hex */ - size_t i = 0; - for (; i < 16; i++) + for (i = 0; i < HASH_OF_HOST_BUF_SIZE; i++) { if ((ret = sprintf((char *)csp->http->hash_of_host_hex + 2 * i, "%02x", csp->http->hash_of_host[i])) < 0) diff --git a/project.h b/project.h index 6aaefd74..0a1740a7 100644 --- a/project.h +++ b/project.h @@ -50,7 +50,7 @@ */ #define CERT_INFO_BUF_SIZE 4096 #define ISSUER_NAME_BUF_SIZE 2048 -#define HASH_OF_HOST_BUF_SIZE 16 +#define HASH_OF_HOST_BUF_SIZE 32 #endif /* FEATURE_HTTPS_INSPECTION */ #ifdef FEATURE_HTTPS_INSPECTION_MBEDTLS diff --git a/ssl.c b/ssl.c index 0df73334..04963541 100644 --- a/ssl.c +++ b/ssl.c @@ -38,7 +38,7 @@ # include MBEDTLS_CONFIG_FILE #endif -#include "mbedtls/md5.h" +#include "mbedtls/sha256.h" #include "mbedtls/pem.h" #include "mbedtls/base64.h" #include "mbedtls/error.h" @@ -1787,8 +1787,8 @@ static int ssl_verify_callback(void *csp_void, mbedtls_x509_crt *crt, * * Function : host_to_hash * - * Description : Creates MD5 hash from host name. Host name is loaded - * from structure csp and saved again into it. + * Description : Creates a sha256 hash from host name. The host name + * is taken from the csp structure and stored into it. * * Parameters : * 1 : csp = Current client state (buffers, headers, etc...) @@ -1799,25 +1799,14 @@ static int ssl_verify_callback(void *csp_void, mbedtls_x509_crt *crt, *********************************************************************/ static int host_to_hash(struct client_state *csp) { - int ret = 0; + int ret; + size_t i; -#if !defined(MBEDTLS_MD5_C) -#error mbedTLS needs to be compiled with md5 support -#else - memset(csp->http->hash_of_host, 0, sizeof(csp->http->hash_of_host)); - ret = mbedtls_md5_ret((unsigned char *)csp->http->host, - strlen(csp->http->host), csp->http->hash_of_host); - if (ret != 0) - { - log_error(LOG_LEVEL_ERROR, - "Failed to generate md5 hash of host %s: %d", - csp->http->host, ret); - return -1; - } + mbedtls_sha256((unsigned char *)csp->http->host, + strlen(csp->http->host), csp->http->hash_of_host, 0); /* Converting hash into string with hex */ - size_t i = 0; - for (; i < 16; i++) + for (i = 0; i < HASH_OF_HOST_BUF_SIZE; i++) { if ((ret = sprintf((char *)csp->http->hash_of_host_hex + 2 * i, "%02x", csp->http->hash_of_host[i])) < 0) @@ -1828,7 +1817,7 @@ static int host_to_hash(struct client_state *csp) } return 0; -#endif /* MBEDTLS_MD5_C */ + } /********************************************************************* diff --git a/wolfssl.c b/wolfssl.c index 7c934446..717be050 100644 --- a/wolfssl.c +++ b/wolfssl.c @@ -724,8 +724,8 @@ exit: * * Function : host_to_hash * - * Description : Creates MD5 hash from host name. Host name is loaded - * from structure csp and saved again into it. + * Description : Creates a sha256 hash from host name. The host name + * is taken from the csp structure and stored into it. * * Parameters : * 1 : csp = Current client state (buffers, headers, etc...) @@ -736,33 +736,18 @@ exit: *********************************************************************/ static int host_to_hash(struct client_state *csp) { - wc_Md5 md5; int ret; size_t i; - ret = wc_InitMd5(&md5); + ret = wc_Sha256Hash((const byte *)csp->http->host, + (word32)strlen(csp->http->host), (byte *)csp->http->hash_of_host); if (ret != 0) { - return -1; + return -1; } - ret = wc_Md5Update(&md5, (const byte *)csp->http->host, - (word32)strlen(csp->http->host)); - if (ret != 0) - { - return -1; - } - - ret = wc_Md5Final(&md5, csp->http->hash_of_host); - if (ret != 0) - { - return -1; - } - - wc_Md5Free(&md5); - /* Converting hash into string with hex */ - for (i = 0; i < 16; i++) + for (i = 0; i < HASH_OF_HOST_BUF_SIZE; i++) { ret = snprintf((char *)csp->http->hash_of_host_hex + 2 * i, sizeof(csp->http->hash_of_host_hex) - 2 * i, @@ -775,6 +760,7 @@ static int host_to_hash(struct client_state *csp) } return 0; + } -- 2.39.2