Move from SHA-1 to SHA-256 as default in programs

parent 70dbfaa9
......@@ -9,6 +9,8 @@ Features
Bugfix
Changes
* Move from SHA-1 to SHA-256 in example programs using signatures
(suggested by Thorsten Mühlfelder).
= mbed TLS 1.3.10 released 2015-02-09
Security
......
......@@ -48,7 +48,7 @@
#if !defined(POLARSSL_AES_C) || !defined(POLARSSL_DHM_C) || \
!defined(POLARSSL_ENTROPY_C) || !defined(POLARSSL_NET_C) || \
!defined(POLARSSL_RSA_C) || !defined(POLARSSL_SHA1_C) || \
!defined(POLARSSL_RSA_C) || !defined(POLARSSL_SHA256_C) || \
!defined(POLARSSL_FS_IO) || !defined(POLARSSL_CTR_DRBG_C)
int main( int argc, char *argv[] )
{
......@@ -57,7 +57,7 @@ int main( int argc, char *argv[] )
polarssl_printf("POLARSSL_AES_C and/or POLARSSL_DHM_C and/or POLARSSL_ENTROPY_C "
"and/or POLARSSL_NET_C and/or POLARSSL_RSA_C and/or "
"POLARSSL_SHA1_C and/or POLARSSL_FS_IO and/or "
"POLARSSL_SHA256_C and/or POLARSSL_FS_IO and/or "
"POLARSSL_CTR_DRBG_C not defined.\n");
return( 0 );
}
......@@ -193,7 +193,7 @@ int main( int argc, char *argv[] )
/*
* 5. Check that the server's RSA signature matches
* the SHA-1 hash of (P,G,Ys)
* the SHA-256 hash of (P,G,Ys)
*/
polarssl_printf( "\n . Verifying the server's RSA signature" );
fflush( stdout );
......@@ -210,7 +210,7 @@ int main( int argc, char *argv[] )
sha1( buf, (int)( p - 2 - buf ), hash );
if( ( ret = rsa_pkcs1_verify( &rsa, NULL, NULL, RSA_PUBLIC,
POLARSSL_MD_SHA1, 0, hash, p ) ) != 0 )
POLARSSL_MD_SHA256, 0, hash, p ) ) != 0 )
{
polarssl_printf( " failed\n ! rsa_pkcs1_verify returned %d\n\n", ret );
goto exit;
......@@ -297,5 +297,5 @@ exit:
return( ret );
}
#endif /* POLARSSL_AES_C && POLARSSL_DHM_C && POLARSSL_ENTROPY_C &&
POLARSSL_NET_C && POLARSSL_RSA_C && POLARSSL_SHA1_C &&
POLARSSL_NET_C && POLARSSL_RSA_C && POLARSSL_SHA256_C &&
POLARSSL_FS_IO && POLARSSL_CTR_DRBG_C */
......@@ -48,7 +48,7 @@
#if !defined(POLARSSL_AES_C) || !defined(POLARSSL_DHM_C) || \
!defined(POLARSSL_ENTROPY_C) || !defined(POLARSSL_NET_C) || \
!defined(POLARSSL_RSA_C) || !defined(POLARSSL_SHA1_C) || \
!defined(POLARSSL_RSA_C) || !defined(POLARSSL_SHA256_C) || \
!defined(POLARSSL_FS_IO) || !defined(POLARSSL_CTR_DRBG_C)
int main( int argc, char *argv[] )
{
......@@ -57,7 +57,7 @@ int main( int argc, char *argv[] )
polarssl_printf("POLARSSL_AES_C and/or POLARSSL_DHM_C and/or POLARSSL_ENTROPY_C "
"and/or POLARSSL_NET_C and/or POLARSSL_RSA_C and/or "
"POLARSSL_SHA1_C and/or POLARSSL_FS_IO and/or "
"POLARSSL_SHA256_C and/or POLARSSL_FS_IO and/or "
"POLARSSL_CTR_DBRG_C not defined.\n");
return( 0 );
}
......@@ -201,7 +201,7 @@ int main( int argc, char *argv[] )
buf[n ] = (unsigned char)( rsa.len >> 8 );
buf[n + 1] = (unsigned char)( rsa.len );
if( ( ret = rsa_pkcs1_sign( &rsa, NULL, NULL, RSA_PRIVATE, POLARSSL_MD_SHA1,
if( ( ret = rsa_pkcs1_sign( &rsa, NULL, NULL, RSA_PRIVATE, POLARSSL_MD_SHA256,
0, hash, buf + n + 2 ) ) != 0 )
{
polarssl_printf( " failed\n ! rsa_pkcs1_sign returned %d\n\n", ret );
......@@ -298,5 +298,5 @@ exit:
return( ret );
}
#endif /* POLARSSL_AES_C && POLARSSL_DHM_C && POLARSSL_ENTROPY_C &&
POLARSSL_NET_C && POLARSSL_RSA_C && POLARSSL_SHA1_C &&
POLARSSL_NET_C && POLARSSL_RSA_C && POLARSSL_SHA256_C &&
POLARSSL_FS_IO && POLARSSL_CTR_DRBG_C */
......@@ -47,7 +47,7 @@
#endif
#if !defined(POLARSSL_BIGNUM_C) || !defined(POLARSSL_ENTROPY_C) || \
!defined(POLARSSL_SHA1_C) || \
!defined(POLARSSL_SHA256_C) || \
!defined(POLARSSL_PK_PARSE_C) || !defined(POLARSSL_FS_IO) || \
!defined(POLARSSL_CTR_DRBG_C)
int main( int argc, char *argv[] )
......@@ -56,7 +56,7 @@ int main( int argc, char *argv[] )
((void) argv);
polarssl_printf("POLARSSL_BIGNUM_C and/or POLARSSL_ENTROPY_C and/or "
"POLARSSL_SHA1_C and/or "
"POLARSSL_SHA256_C and/or "
"POLARSSL_PK_PARSE_C and/or POLARSSL_FS_IO and/or "
"POLARSSL_CTR_DRBG_C not defined.\n");
return( 0 );
......@@ -111,10 +111,10 @@ int main( int argc, char *argv[] )
}
/*
* Compute the SHA-1 hash of the input file,
* Compute the SHA-256 hash of the input file,
* then calculate the signature of the hash.
*/
polarssl_printf( "\n . Generating the SHA-1 signature" );
polarssl_printf( "\n . Generating the SHA-256 signature" );
fflush( stdout );
if( ( ret = sha1_file( argv[2], hash ) ) != 0 )
......@@ -123,7 +123,7 @@ int main( int argc, char *argv[] )
goto exit;
}
if( ( ret = pk_sign( &pk, POLARSSL_MD_SHA1, hash, 0, buf, &olen,
if( ( ret = pk_sign( &pk, POLARSSL_MD_SHA256, hash, 0, buf, &olen,
ctr_drbg_random, &ctr_drbg ) ) != 0 )
{
polarssl_printf( " failed\n ! pk_sign returned -0x%04x\n", -ret );
......@@ -170,5 +170,5 @@ exit:
return( ret );
}
#endif /* POLARSSL_BIGNUM_C && POLARSSL_ENTROPY_C &&
POLARSSL_SHA1_C && POLARSSL_PK_PARSE_C && POLARSSL_FS_IO &&
POLARSSL_SHA256_C && POLARSSL_PK_PARSE_C && POLARSSL_FS_IO &&
POLARSSL_CTR_DRBG_C */
......@@ -45,7 +45,7 @@
#endif
#if !defined(POLARSSL_BIGNUM_C) || \
!defined(POLARSSL_SHA1_C) || !defined(POLARSSL_PK_PARSE_C) || \
!defined(POLARSSL_SHA256_C) || !defined(POLARSSL_PK_PARSE_C) || \
!defined(POLARSSL_FS_IO)
int main( int argc, char *argv[] )
{
......@@ -53,7 +53,7 @@ int main( int argc, char *argv[] )
((void) argv);
polarssl_printf("POLARSSL_BIGNUM_C and/or "
"POLARSSL_SHA1_C and/or POLARSSL_PK_PARSE_C and/or "
"POLARSSL_SHA256_C and/or POLARSSL_PK_PARSE_C and/or "
"POLARSSL_FS_IO not defined.\n");
return( 0 );
}
......@@ -108,10 +108,10 @@ int main( int argc, char *argv[] )
fclose( f );
/*
* Compute the SHA-1 hash of the input file and compare
* Compute the SHA-256 hash of the input file and compare
* it with the hash decrypted from the signature.
*/
polarssl_printf( "\n . Verifying the SHA-1 signature" );
polarssl_printf( "\n . Verifying the SHA-256 signature" );
fflush( stdout );
if( ( ret = sha1_file( argv[2], hash ) ) != 0 )
......@@ -120,14 +120,14 @@ int main( int argc, char *argv[] )
goto exit;
}
if( ( ret = pk_verify( &pk, POLARSSL_MD_SHA1, hash, 0,
if( ( ret = pk_verify( &pk, POLARSSL_MD_SHA256, hash, 0,
buf, i ) ) != 0 )
{
polarssl_printf( " failed\n ! pk_verify returned -0x%04x\n", -ret );
goto exit;
}
polarssl_printf( "\n . OK (the decrypted SHA-1 hash matches)\n\n" );
polarssl_printf( "\n . OK (the decrypted SHA-256 hash matches)\n\n" );
ret = 0;
......@@ -146,5 +146,5 @@ exit:
return( ret );
}
#endif /* POLARSSL_BIGNUM_C && POLARSSL_SHA1_C &&
#endif /* POLARSSL_BIGNUM_C && POLARSSL_SHA256_C &&
POLARSSL_PK_PARSE_C && POLARSSL_FS_IO */
/*
* RSA/SHA-1 signature creation program
* RSA/SHA-256 signature creation program
*
* Copyright (C) 2006-2011, ARM Limited, All Rights Reserved
*
......@@ -40,14 +40,14 @@
#include "polarssl/sha1.h"
#if !defined(POLARSSL_BIGNUM_C) || !defined(POLARSSL_RSA_C) || \
!defined(POLARSSL_SHA1_C) || !defined(POLARSSL_FS_IO)
!defined(POLARSSL_SHA256_C) || !defined(POLARSSL_FS_IO)
int main( int argc, char *argv[] )
{
((void) argc);
((void) argv);
polarssl_printf("POLARSSL_BIGNUM_C and/or POLARSSL_RSA_C and/or "
"POLARSSL_SHA1_C and/or POLARSSL_FS_IO not defined.\n");
"POLARSSL_SHA256_C and/or POLARSSL_FS_IO not defined.\n");
return( 0 );
}
#else
......@@ -112,10 +112,10 @@ int main( int argc, char *argv[] )
}
/*
* Compute the SHA-1 hash of the input file,
* Compute the SHA-256 hash of the input file,
* then calculate the RSA signature of the hash.
*/
polarssl_printf( "\n . Generating the RSA/SHA-1 signature" );
polarssl_printf( "\n . Generating the RSA/SHA-256 signature" );
fflush( stdout );
if( ( ret = sha1_file( argv[1], hash ) ) != 0 )
......@@ -124,7 +124,7 @@ int main( int argc, char *argv[] )
goto exit;
}
if( ( ret = rsa_pkcs1_sign( &rsa, NULL, NULL, RSA_PRIVATE, POLARSSL_MD_SHA1,
if( ( ret = rsa_pkcs1_sign( &rsa, NULL, NULL, RSA_PRIVATE, POLARSSL_MD_SHA256,
20, hash, buf ) ) != 0 )
{
polarssl_printf( " failed\n ! rsa_pkcs1_sign returned -0x%0x\n\n", -ret );
......@@ -160,5 +160,5 @@ exit:
return( ret );
}
#endif /* POLARSSL_BIGNUM_C && POLARSSL_RSA_C && POLARSSL_SHA1_C &&
#endif /* POLARSSL_BIGNUM_C && POLARSSL_RSA_C && POLARSSL_SHA256_C &&
POLARSSL_FS_IO */
/*
* RSASSA-PSS/SHA-1 signature creation program
* RSASSA-PSS/SHA-256 signature creation program
*
* Copyright (C) 2006-2011, ARM Limited, All Rights Reserved
*
......@@ -47,7 +47,7 @@
#endif
#if !defined(POLARSSL_BIGNUM_C) || !defined(POLARSSL_ENTROPY_C) || \
!defined(POLARSSL_RSA_C) || !defined(POLARSSL_SHA1_C) || \
!defined(POLARSSL_RSA_C) || !defined(POLARSSL_SHA256_C) || \
!defined(POLARSSL_PK_PARSE_C) || !defined(POLARSSL_FS_IO) || \
!defined(POLARSSL_CTR_DRBG_C)
int main( int argc, char *argv[] )
......@@ -56,7 +56,7 @@ int main( int argc, char *argv[] )
((void) argv);
polarssl_printf("POLARSSL_BIGNUM_C and/or POLARSSL_ENTROPY_C and/or "
"POLARSSL_RSA_C and/or POLARSSL_SHA1_C and/or "
"POLARSSL_RSA_C and/or POLARSSL_SHA256_C and/or "
"POLARSSL_PK_PARSE_C and/or POLARSSL_FS_IO and/or "
"POLARSSL_CTR_DRBG_C not defined.\n");
return( 0 );
......@@ -118,13 +118,13 @@ int main( int argc, char *argv[] )
goto exit;
}
rsa_set_padding( pk_rsa( pk ), RSA_PKCS_V21, POLARSSL_MD_SHA1 );
rsa_set_padding( pk_rsa( pk ), RSA_PKCS_V21, POLARSSL_MD_SHA256 );
/*
* Compute the SHA-1 hash of the input file,
* Compute the SHA-256 hash of the input file,
* then calculate the RSA signature of the hash.
*/
polarssl_printf( "\n . Generating the RSA/SHA-1 signature" );
polarssl_printf( "\n . Generating the RSA/SHA-256 signature" );
fflush( stdout );
if( ( ret = sha1_file( argv[2], hash ) ) != 0 )
......@@ -133,7 +133,7 @@ int main( int argc, char *argv[] )
goto exit;
}
if( ( ret = pk_sign( &pk, POLARSSL_MD_SHA1, hash, 0, buf, &olen,
if( ( ret = pk_sign( &pk, POLARSSL_MD_SHA256, hash, 0, buf, &olen,
ctr_drbg_random, &ctr_drbg ) ) != 0 )
{
polarssl_printf( " failed\n ! pk_sign returned %d\n\n", ret );
......@@ -175,5 +175,5 @@ exit:
return( ret );
}
#endif /* POLARSSL_BIGNUM_C && POLARSSL_ENTROPY_C && POLARSSL_RSA_C &&
POLARSSL_SHA1_C && POLARSSL_PK_PARSE_C && POLARSSL_FS_IO &&
POLARSSL_SHA256_C && POLARSSL_PK_PARSE_C && POLARSSL_FS_IO &&
POLARSSL_CTR_DRBG_C */
/*
* RSA/SHA-1 signature verification program
* RSA/SHA-256 signature verification program
*
* Copyright (C) 2006-2011, ARM Limited, All Rights Reserved
*
......@@ -39,14 +39,14 @@
#include "polarssl/sha1.h"
#if !defined(POLARSSL_BIGNUM_C) || !defined(POLARSSL_RSA_C) || \
!defined(POLARSSL_SHA1_C) || !defined(POLARSSL_FS_IO)
!defined(POLARSSL_SHA256_C) || !defined(POLARSSL_FS_IO)
int main( int argc, char *argv[] )
{
((void) argc);
((void) argv);
polarssl_printf("POLARSSL_BIGNUM_C and/or POLARSSL_RSA_C and/or "
"POLARSSL_SHA1_C and/or POLARSSL_FS_IO not defined.\n");
"POLARSSL_SHA256_C and/or POLARSSL_FS_IO not defined.\n");
return( 0 );
}
#else
......@@ -122,10 +122,10 @@ int main( int argc, char *argv[] )
}
/*
* Compute the SHA-1 hash of the input file and compare
* Compute the SHA-256 hash of the input file and compare
* it with the hash decrypted from the RSA signature.
*/
polarssl_printf( "\n . Verifying the RSA/SHA-1 signature" );
polarssl_printf( "\n . Verifying the RSA/SHA-256 signature" );
fflush( stdout );
if( ( ret = sha1_file( argv[1], hash ) ) != 0 )
......@@ -135,13 +135,13 @@ int main( int argc, char *argv[] )
}
if( ( ret = rsa_pkcs1_verify( &rsa, NULL, NULL, RSA_PUBLIC,
POLARSSL_MD_SHA1, 20, hash, buf ) ) != 0 )
POLARSSL_MD_SHA256, 20, hash, buf ) ) != 0 )
{
polarssl_printf( " failed\n ! rsa_pkcs1_verify returned -0x%0x\n\n", -ret );
goto exit;
}
polarssl_printf( "\n . OK (the decrypted SHA-1 hash matches)\n\n" );
polarssl_printf( "\n . OK (the decrypted SHA-256 hash matches)\n\n" );
ret = 0;
......@@ -154,5 +154,5 @@ exit:
return( ret );
}
#endif /* POLARSSL_BIGNUM_C && POLARSSL_RSA_C && POLARSSL_SHA1_C &&
#endif /* POLARSSL_BIGNUM_C && POLARSSL_RSA_C && POLARSSL_SHA256_C &&
POLARSSL_FS_IO */
/*
* RSASSA-PSS/SHA-1 signature verification program
* RSASSA-PSS/SHA-256 signature verification program
*
* Copyright (C) 2006-2011, ARM Limited, All Rights Reserved
*
......@@ -46,7 +46,7 @@
#endif
#if !defined(POLARSSL_BIGNUM_C) || !defined(POLARSSL_RSA_C) || \
!defined(POLARSSL_SHA1_C) || !defined(POLARSSL_PK_PARSE_C) || \
!defined(POLARSSL_SHA256_C) || !defined(POLARSSL_PK_PARSE_C) || \
!defined(POLARSSL_FS_IO)
int main( int argc, char *argv[] )
{
......@@ -54,7 +54,7 @@ int main( int argc, char *argv[] )
((void) argv);
polarssl_printf("POLARSSL_BIGNUM_C and/or POLARSSL_RSA_C and/or "
"POLARSSL_SHA1_C and/or POLARSSL_PK_PARSE_C and/or "
"POLARSSL_SHA256_C and/or POLARSSL_PK_PARSE_C and/or "
"POLARSSL_FS_IO not defined.\n");
return( 0 );
}
......@@ -99,7 +99,7 @@ int main( int argc, char *argv[] )
goto exit;
}
rsa_set_padding( pk_rsa( pk ), RSA_PKCS_V21, POLARSSL_MD_SHA1 );
rsa_set_padding( pk_rsa( pk ), RSA_PKCS_V21, POLARSSL_MD_SHA256 );
/*
* Extract the RSA signature from the text file
......@@ -119,10 +119,10 @@ int main( int argc, char *argv[] )
fclose( f );
/*
* Compute the SHA-1 hash of the input file and compare
* Compute the SHA-256 hash of the input file and compare
* it with the hash decrypted from the RSA signature.
*/
polarssl_printf( "\n . Verifying the RSA/SHA-1 signature" );
polarssl_printf( "\n . Verifying the RSA/SHA-256 signature" );
fflush( stdout );
if( ( ret = sha1_file( argv[2], hash ) ) != 0 )
......@@ -131,14 +131,14 @@ int main( int argc, char *argv[] )
goto exit;
}
if( ( ret = pk_verify( &pk, POLARSSL_MD_SHA1, hash, 0,
if( ( ret = pk_verify( &pk, POLARSSL_MD_SHA256, hash, 0,
buf, i ) ) != 0 )
{
polarssl_printf( " failed\n ! pk_verify returned %d\n\n", ret );
goto exit;
}
polarssl_printf( "\n . OK (the decrypted SHA-1 hash matches)\n\n" );
polarssl_printf( "\n . OK (the decrypted SHA-256 hash matches)\n\n" );
ret = 0;
......@@ -152,5 +152,5 @@ exit:
return( ret );
}
#endif /* POLARSSL_BIGNUM_C && POLARSSL_RSA_C && POLARSSL_SHA1_C &&
#endif /* POLARSSL_BIGNUM_C && POLARSSL_RSA_C && POLARSSL_SHA256_C &&
POLARSSL_PK_PARSE_C && POLARSSL_FS_IO */
......@@ -149,7 +149,7 @@ int main( int argc, char *argv[] )
* Set to sane values
*/
x509write_csr_init( &req );
x509write_csr_set_md_alg( &req, POLARSSL_MD_SHA1 );
x509write_csr_set_md_alg( &req, POLARSSL_MD_SHA256 );
pk_init( &key );
memset( buf, 0, sizeof( buf ) );
......
......@@ -209,7 +209,7 @@ int main( int argc, char *argv[] )
* Set to sane values
*/
x509write_crt_init( &crt );
x509write_crt_set_md_alg( &crt, POLARSSL_MD_SHA1 );
x509write_crt_set_md_alg( &crt, POLARSSL_MD_SHA256 );
pk_init( &loaded_issuer_key );
pk_init( &loaded_subject_key );
mpi_init( &serial );
......
Markdown is supported
0% or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment