openssl icon indicating copy to clipboard operation
openssl copied to clipboard
verified publisher icon spacemonkeygo

Remove SHA0

Open Sp1l opened this issue 8 years ago • 3 comments

In https://github.com/spacemonkeygo/openssl/blob/master/cert.go you're using SHA-0. This standard was never used as collisions were found prior to ratifying it as a standard, please remove it from the code.

Context: OpenSSL 1.1 removed SHA-0 completely (as did LibreSSL). Building breaks on could not determine kind of name for C.EVP_sha

Sp1l avatar Jun 11 '17 10:06 Sp1l

This is a duplicate of #43 Nevertheless, SHA-0 is not just phased-out, it should never even have been part of OpenSSL. Anywhere it is used that is in error, you don't want to use a hash that is weaker than MD5.

Simply removing it from the code was sufficient.

Sp1l avatar Jun 11 '17 12:06 Sp1l

Have you tried on the most recent master? I closed #43 because we have this shim function return null on 1.1: https://github.com/spacemonkeygo/openssl/blob/1ea168d09854859640843a168ed781ef94ea6e2e/shim.c#L131

zeebo avatar Jun 12 '17 16:06 zeebo

Although it does look like a bug was introduced where returning NULL will cause problems. That needs to be fixed, regardless, but I don't believe there is a current build failure.

zeebo avatar Jun 12 '17 16:06 zeebo