Replace internal use sha1 hash with sha256.
Change-Id: Ifdb2fe5952930c33dfa9ea5bbdb9d1ce699952a4
Reviewed-on: https://boringssl-review.googlesource.com/c/boringssl/+/52027
Reviewed-by: David Benjamin <davidben@google.com>
Reviewed-by: Adam Langley <agl@google.com>
Commit-Queue: David Benjamin <davidben@google.com>
diff --git a/crypto/x509/internal.h b/crypto/x509/internal.h
index 99319c8..ff8288f 100644
--- a/crypto/x509/internal.h
+++ b/crypto/x509/internal.h
@@ -156,7 +156,7 @@
STACK_OF(DIST_POINT) *crldp;
STACK_OF(GENERAL_NAME) *altname;
NAME_CONSTRAINTS *nc;
- unsigned char sha1_hash[SHA_DIGEST_LENGTH];
+ unsigned char cert_hash[SHA256_DIGEST_LENGTH];
X509_CERT_AUX *aux;
CRYPTO_BUFFER *buf;
CRYPTO_MUTEX lock;
@@ -219,7 +219,7 @@
// CRL and base CRL numbers for delta processing
ASN1_INTEGER *crl_number;
ASN1_INTEGER *base_crl_number;
- unsigned char sha1_hash[SHA_DIGEST_LENGTH];
+ unsigned char crl_hash[SHA256_DIGEST_LENGTH];
STACK_OF(GENERAL_NAMES) *issuers;
const X509_CRL_METHOD *meth;
void *meth_data;
diff --git a/crypto/x509/x509_cmp.c b/crypto/x509/x509_cmp.c
index 5811f44..e9e1d8c 100644
--- a/crypto/x509/x509_cmp.c
+++ b/crypto/x509/x509_cmp.c
@@ -101,7 +101,7 @@
int X509_CRL_match(const X509_CRL *a, const X509_CRL *b)
{
- return OPENSSL_memcmp(a->sha1_hash, b->sha1_hash, 20);
+ return OPENSSL_memcmp(a->crl_hash, b->crl_hash, SHA256_DIGEST_LENGTH);
}
X509_NAME *X509_get_issuer_name(const X509 *a)
@@ -154,7 +154,7 @@
*/
int X509_cmp(const X509 *a, const X509 *b)
{
- /* Fill in the |sha1_hash| fields.
+ /* Fill in the |cert_hash| fields.
*
* TODO(davidben): This may fail, in which case the the hash will be all
* zeros. This produces a consistent comparison (failures are sticky), but
@@ -165,7 +165,7 @@
x509v3_cache_extensions((X509 *)a);
x509v3_cache_extensions((X509 *)b);
- int rv = OPENSSL_memcmp(a->sha1_hash, b->sha1_hash, SHA_DIGEST_LENGTH);
+ int rv = OPENSSL_memcmp(a->cert_hash, b->cert_hash, SHA256_DIGEST_LENGTH);
if (rv)
return rv;
/* Check for match against stored encoding too */
diff --git a/crypto/x509/x_crl.c b/crypto/x509/x_crl.c
index f010849..ab2a039 100644
--- a/crypto/x509/x_crl.c
+++ b/crypto/x509/x_crl.c
@@ -251,7 +251,7 @@
break;
case ASN1_OP_D2I_POST:
- if (!X509_CRL_digest(crl, EVP_sha1(), crl->sha1_hash, NULL)) {
+ if (!X509_CRL_digest(crl, EVP_sha256(), crl->crl_hash, NULL)) {
return 0;
}
diff --git a/crypto/x509v3/v3_purp.c b/crypto/x509v3/v3_purp.c
index 133839a..909a8db 100644
--- a/crypto/x509v3/v3_purp.c
+++ b/crypto/x509v3/v3_purp.c
@@ -437,7 +437,7 @@
return (x->ex_flags & EXFLAG_INVALID) == 0;
}
- if (!X509_digest(x, EVP_sha1(), x->sha1_hash, NULL))
+ if (!X509_digest(x, EVP_sha256(), x->cert_hash, NULL))
x->ex_flags |= EXFLAG_INVALID;
/* V1 should mean no extensions ... */
if (X509_get_version(x) == X509_VERSION_1)