[evolution-data-server] Use SHA256 instead of SHA1 where appropriate
- From: Milan Crha <mcrha src gnome org>
- To: commits-list gnome org
- Cc:
- Subject: [evolution-data-server] Use SHA256 instead of SHA1 where appropriate
- Date: Mon, 8 Mar 2021 10:24:20 +0000 (UTC)
commit 404f1e8ac4b3ae79a4db114205cf5928af298d3a
Author: Milan Crha <mcrha redhat com>
Date: Mon Mar 8 11:21:25 2021 +0100
Use SHA256 instead of SHA1 where appropriate
This changes defaults for message signing (in case it cannot be read
from the signature/certificate) and also uses SHA256 for certificate
checksum used by SSL trust setting. The change causes re-prompt for
the certificate trust in existing setups.
src/camel/camel-gpg-context.c | 2 +-
src/camel/camel-smime-context.c | 4 ++--
src/camel/tests/smime/pgp-mime.c | 2 +-
src/camel/tests/smime/pgp.c | 2 +-
src/camel/tests/smime/pkcs7.c | 4 ++--
src/libedataserver/e-source-webdav.c | 6 +++---
6 files changed, 10 insertions(+), 10 deletions(-)
---
diff --git a/src/camel/camel-gpg-context.c b/src/camel/camel-gpg-context.c
index 1f6a2f2f4..685d3ab25 100644
--- a/src/camel/camel-gpg-context.c
+++ b/src/camel/camel-gpg-context.c
@@ -2074,8 +2074,8 @@ gpg_hash_to_id (CamelCipherContext *context,
case CAMEL_CIPHER_HASH_MD5:
return "pgp-md5";
case CAMEL_CIPHER_HASH_SHA1:
- case CAMEL_CIPHER_HASH_DEFAULT:
return "pgp-sha1";
+ case CAMEL_CIPHER_HASH_DEFAULT:
case CAMEL_CIPHER_HASH_SHA256:
return "pgp-sha256";
case CAMEL_CIPHER_HASH_SHA384:
diff --git a/src/camel/camel-smime-context.c b/src/camel/camel-smime-context.c
index 1ca20083d..7b05f00e2 100644
--- a/src/camel/camel-smime-context.c
+++ b/src/camel/camel-smime-context.c
@@ -347,6 +347,7 @@ sm_signing_cmsmessage (CamelSMIMEContext *context,
if (*hash == SEC_OID_UNKNOWN) {
/* use signature algorithm from the certificate */
switch (SECOID_GetAlgorithmTag (&cert->signature)) {
+ default:
case SEC_OID_PKCS1_SHA256_WITH_RSA_ENCRYPTION:
*hash = SEC_OID_SHA256;
break;
@@ -360,7 +361,6 @@ sm_signing_cmsmessage (CamelSMIMEContext *context,
*hash = SEC_OID_MD5;
break;
case SEC_OID_PKCS1_SHA1_WITH_RSA_ENCRYPTION:
- default:
*hash = SEC_OID_SHA1;
break;
}
@@ -739,8 +739,8 @@ smime_context_hash_to_id (CamelCipherContext *context,
case CAMEL_CIPHER_HASH_MD5:
return "md5";
case CAMEL_CIPHER_HASH_SHA1:
- case CAMEL_CIPHER_HASH_DEFAULT:
return "sha-1";
+ case CAMEL_CIPHER_HASH_DEFAULT:
case CAMEL_CIPHER_HASH_SHA256:
return "sha-256";
case CAMEL_CIPHER_HASH_SHA384:
diff --git a/src/camel/tests/smime/pgp-mime.c b/src/camel/tests/smime/pgp-mime.c
index 9b9546142..e469fe1f8 100644
--- a/src/camel/tests/smime/pgp-mime.c
+++ b/src/camel/tests/smime/pgp-mime.c
@@ -150,7 +150,7 @@ gint main (gint argc, gchar **argv)
camel_test_push ("PGP/MIME signing");
mps = camel_multipart_signed_new ();
- camel_multipart_signed_sign (mps, ctx, mime_part, "no.user@no.domain", CAMEL_CIPHER_HASH_SHA1, ex);
+ camel_multipart_signed_sign (mps, ctx, mime_part, "no.user@no.domain", CAMEL_CIPHER_HASH_SHA256, ex);
check_msg (!camel_exception_is_set (ex), "%s", camel_exception_get_description (ex));
camel_test_pull ();
diff --git a/src/camel/tests/smime/pgp.c b/src/camel/tests/smime/pgp.c
index 139aa3c9d..97eed45c7 100644
--- a/src/camel/tests/smime/pgp.c
+++ b/src/camel/tests/smime/pgp.c
@@ -138,7 +138,7 @@ gint main (gint argc, gchar **argv)
camel_test_push ("PGP signing");
camel_cipher_context_sign_sync (
- ctx, "no.user@no.domain", CAMEL_CIPHER_HASH_SHA1,
+ ctx, "no.user@no.domain", CAMEL_CIPHER_HASH_SHA256,
conpart, sigpart, NULL, &error);
if (error != NULL) {
printf ("PGP signing failed assuming non-functional environment\n%s", error->message);
diff --git a/src/camel/tests/smime/pkcs7.c b/src/camel/tests/smime/pkcs7.c
index 3f1d845a3..662e402fc 100644
--- a/src/camel/tests/smime/pkcs7.c
+++ b/src/camel/tests/smime/pkcs7.c
@@ -128,7 +128,7 @@ gint main (gint argc, gchar **argv)
camel_test_push ("PKCS7 signing");
camel_smime_sign (
- ctx, "smime xtorshun org", CAMEL_CIPHER_HASH_SHA1,
+ ctx, "smime xtorshun org", CAMEL_CIPHER_HASH_SHA256,
stream1, stream2, ex);
check_msg (!camel_exception_is_set (ex), "%s", camel_exception_get_description (ex));
camel_test_pull ();
@@ -138,7 +138,7 @@ gint main (gint argc, gchar **argv)
camel_test_push ("PKCS7 verify");
g_seekable_seek (G_SEEKABLE (stream1), 0, G_SEEK_SET, NULL, NULL);
g_seekable_seek (G_SEEKABLE (stream2), 0, G_SEEK_SET, NULL, NULL);
- valid = camel_smime_verify (ctx, CAMEL_CIPHER_HASH_SHA1, stream1, stream2, ex);
+ valid = camel_smime_verify (ctx, CAMEL_CIPHER_HASH_SHA256, stream1, stream2, ex);
check_msg (!camel_exception_is_set (ex), "%s", camel_exception_get_description (ex));
check_msg (camel_cipher_validity_get_valid (valid), "%s", camel_cipher_validity_get_description
(valid));
camel_cipher_validity_free (valid);
diff --git a/src/libedataserver/e-source-webdav.c b/src/libedataserver/e-source-webdav.c
index 8a210bb81..657d41da2 100644
--- a/src/libedataserver/e-source-webdav.c
+++ b/src/libedataserver/e-source-webdav.c
@@ -1206,7 +1206,7 @@ e_source_webdav_set_resource_query (ESourceWebdav *extension,
* The value encodes three parameters, divided by a pipe '|',
* the first is users preference, can be one of "reject", "accept",
* "temporary-reject" and "temporary-accept". The second is a host
- * name for which the trust was set. Finally the last is a SHA1
+ * name for which the trust was set. Finally the last is a SHA256
* hash of the certificate. This is not meant to be changed by a caller,
* it is supposed to be manipulated with e_source_webdav_update_ssl_trust()
* and e_source_webdav_verify_ssl_trust().
@@ -1473,7 +1473,7 @@ e_source_webdav_update_ssl_trust (ESourceWebdav *extension,
if (!bytes)
return;
- hash = g_compute_checksum_for_data (G_CHECKSUM_SHA1, bytes->data, bytes->len);
+ hash = g_compute_checksum_for_data (G_CHECKSUM_SHA256, bytes->data, bytes->len);
encode_ssl_trust (extension, response, host, hash);
@@ -1520,7 +1520,7 @@ e_source_webdav_verify_ssl_trust (ESourceWebdav *extension,
if (decode_ssl_trust (extension, &response, &old_host, &old_hash)) {
gchar *hash;
- hash = g_compute_checksum_for_data (G_CHECKSUM_SHA1, bytes->data, bytes->len);
+ hash = g_compute_checksum_for_data (G_CHECKSUM_SHA256, bytes->data, bytes->len);
if (response != E_TRUST_PROMPT_RESPONSE_UNKNOWN &&
g_strcmp0 (old_host, host) == 0 &&
[
Date Prev][
Date Next] [
Thread Prev][
Thread Next]
[
Thread Index]
[
Date Index]
[
Author Index]
