Skip to content

F 1483 : Fix SHA-1 prefix match overwriting SHA-256/384/512 output #216

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Draft
miyazakh wants to merge 2 commits into
base: main
Choose a base branch
from
+20 −13
Draft

F 1483 : Fix SHA-1 prefix match overwriting SHA-256/384/512 output #216

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
2 commits
Select commit Hold shift + click to select a range
ad115fa
fix compile and unit test failure
miyazakh Mar 24, 2026
e43bb6a
fix f-1483 sha1 prefix substring matching
miyazakh Apr 2, 2026
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
3 changes: 2 additions & 1 deletion src/hash/clu_hash.c
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -121,7 +121,8 @@ int wolfCLU_hash(WOLFSSL_BIO* bioIn, WOLFSSL_BIO* bioOut, const char* alg,
}
#endif
#ifndef NO_SHA
if (ret == WOLFCLU_SUCCESS && XSTRNCMP(alg, "sha", 3) == 0) {
if (ret == WOLFCLU_SUCCESS && XSTRNCMP(alg, "sha", 3) == 0
&& XSTRLEN(alg) == 3) {
ret = wc_ShaHash(input, inputSz, output);
}
#endif
Expand Down
4 changes: 2 additions & 2 deletions src/hash/clu_hash_setup.c
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -81,7 +81,7 @@ int wolfCLU_hashSetup(int argc, char** argv)

for (i = 0; i < (int)algsSz; ++i) {
/* checks for acceptable algorithms */
if (XSTRNCMP(argv[2], algs[i], XSTRLEN(algs[i])) == 0) {
if (XSTRCMP(argv[2], algs[i]) == 0) {
alg = argv[2];
algCheck = 1;
}
Expand Down Expand Up @@ -140,7 +140,7 @@ int wolfCLU_hashSetup(int argc, char** argv)
#endif

#ifndef NO_SHA
if (XSTRNCMP(alg, "sha", 3) == 0)
if ((XSTRNCMP(alg, "sha", 3) == 0) && (XSTRLEN(alg) == 3))
size = WC_SHA_DIGEST_SIZE;
#endif

Expand Down
24 changes: 15 additions & 9 deletions src/x509/clu_x509_sign.c
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -257,7 +257,7 @@ int wolfCLU_GenChimeraCertSign(WOLFSSL_BIO *bioCaKey, WOLFSSL_BIO *bioAltCaKey,
const char *altSigAlgOid = "2.5.29.73";
const char *altSigValOid = "2.5.29.74";

/*
/*
* LARGE_TEMO_SZ defines the size of temporary buffers used for signature key,
* verification key and signature value buffers.
* The value 11264 is enough for P-521 and ML-DSA-87 PEM certs.
Expand Down Expand Up @@ -397,7 +397,7 @@ int wolfCLU_GenChimeraCertSign(WOLFSSL_BIO *bioCaKey, WOLFSSL_BIO *bioAltCaKey,
ret = WOLFCLU_FATAL_ERROR;
}
}

if (ret == 0) {
XMEMSET(caKeyBuf, 0, caKeySz); /* clear original buffer */
caKeySz = derObj->length;
Expand Down Expand Up @@ -667,13 +667,13 @@ int wolfCLU_GenChimeraCertSign(WOLFSSL_BIO *bioCaKey, WOLFSSL_BIO *bioAltCaKey,

if (ret == WOLFCLU_SUCCESS) {
switch (level) {
case 2:
case 2:
newCert.sigType = CTC_SHA256wECDSA;
break;
case 3:
case 3:
newCert.sigType = CTC_SHA384wECDSA;
break;
case 5:
case 5:
newCert.sigType = CTC_SHA512wECDSA;
break;
}
Expand All @@ -691,7 +691,7 @@ int wolfCLU_GenChimeraCertSign(WOLFSSL_BIO *bioCaKey, WOLFSSL_BIO *bioAltCaKey,
else {
ret = WOLFCLU_SUCCESS;
}
}
}
}

if (ret == WOLFCLU_SUCCESS) {
Expand All @@ -715,7 +715,7 @@ int wolfCLU_GenChimeraCertSign(WOLFSSL_BIO *bioCaKey, WOLFSSL_BIO *bioAltCaKey,
}

if (ret == WOLFCLU_SUCCESS && isCA) {
ret = wc_MakeCert(&newCert, scratchBuf,
ret = wc_MakeCert(&newCert, scratchBuf,
scratchSz, NULL, &caKey, &rng);
if (ret <= 0) {
wolfCLU_LogError("Error making certificate");
Expand All @@ -732,7 +732,7 @@ int wolfCLU_GenChimeraCertSign(WOLFSSL_BIO *bioCaKey, WOLFSSL_BIO *bioAltCaKey,
scratchSz = ret;
ret = WOLFCLU_SUCCESS;
}
}
}
}
else if (ret == WOLFCLU_SUCCESS && !isCA) {
ret = wc_MakeCert(&newCert, scratchBuf, scratchSz,
Expand Down Expand Up @@ -1274,7 +1274,13 @@ int wolfCLU_CertSign(WOLFCLU_CERT_SIGN* csign, WOLFSSL_X509* x509)
case WC_HASH_TYPE_BLAKE2B:
case WC_HASH_TYPE_BLAKE2S:

#if LIBWOLFSSL_VERSION_HEX > 0x05001000
#if LIBWOLFSSL_VERSION_HEX >= 0x05009000
case WC_HASH_TYPE_SHA512_224:
case WC_HASH_TYPE_SHA512_256:
case WC_HASH_TYPE_SHAKE128:
case WC_HASH_TYPE_SHAKE256:
case WC_HASH_TYPE_SM3:
#elif LIBWOLFSSL_VERSION_HEX > 0x05001000
Comment on lines +1277 to +1283
Copy link

Copilot AI Apr 2, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

The PR description doesn’t mention this change in certificate-signing hash handling. Also, introducing a new hard-coded wolfSSL version threshold (>= 0x05009000) is inconsistent with the rest of the codebase (which generally gates on > 0x05001000) and drops the previous per-feature guards (e.g., WOLFSSL_SHAKE128/WOLFSSL_SHAKE256). Consider documenting why 5.9.0 is required here, or switching to feature/enum-availability guards to avoid version-specific build regressions.

Copilot uses AI. Check for mistakes.
#ifndef WOLFSSL_NOSHA512_224
case WC_HASH_TYPE_SHA512_224:
#endif
Expand Down
2 changes: 1 addition & 1 deletion tests/ocsp/ocsp-interop-test.sh
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -293,7 +293,7 @@ if [ $RESULT = 0 ]; then
fi

# Check for error message
grep -qi "fail\|error\|not found\|unable" "$TEST_DIR/test6.log"
grep -qi "fail\|error\|not found\|unable\|no such\|could not" "$TEST_DIR/test6.log"
if [ $? != 0 ]; then
echo "Test 6 failed: expected error message about invalid file"
exit 99
Expand Down
Loading