md: fix name/OID lookup for MD5 and post-shake digests (digest_list interior NULLs)#31
Open
MarkAtwood wants to merge 1 commit into
Conversation
digest_list[] is a NULL-terminated array walked by spec_from_name() and
spec_from_oid(). Under HAVE_WOLFSSL the SHA-3 block substituted four interior
NULL placeholders for the unavailable shake specs. An interior NULL terminates
the scan early, so every digest listed after it (md5, md2, md4, rmd160, ...)
became unresolvable by name/OID; gcry_md_map_name("MD5") returned 0. That
breaks consumers referencing digests by name -- GnuPG registers MD5 as a
default weak digest at startup and aborts when the lookup fails, breaking gpg
and apt signature verification.
Remove the interior NULLs so the array has no interior terminator; under
HAVE_WOLFSSL the shake entries are simply absent. Restores name and OID
resolution for MD5 and all post-shake digests. Does not re-enable MD5
computation (NO_MD5 still refuses it) -- only name/OID lookup.
Fixes wolfSSL#30
There was a problem hiding this comment.
Pull request overview
Fixes digest name/OID resolution in WolfSSL builds by removing interior NULL entries from the digest_list[] scan array so spec_from_name() / spec_from_oid() don’t terminate early. This restores gcry_md_map_name("MD5") (and other post-SHAKE digests) lookup behavior without re-enabling MD5 computation.
Changes:
- Removed the
HAVE_WOLFSSL#elsebranch that inserted four interiorNULLplaceholders for unavailable SHAKE/cSHAKE specs. - Ensured
digest_list[]remains a properlyNULL-terminated array with no interior terminators underHAVE_WOLFSSL.
💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Fixes #30.
digest_list[]is a NULL-terminated scan array; underHAVE_WOLFSSLit had fourinterior NULL placeholders (for the unavailable shake specs) that terminate
spec_from_name()/spec_from_oid()early, making MD5 and every post-shakedigest unresolvable by name/OID.
gcry_md_map_name("MD5")returned 0, whichbreaks GnuPG (aborts registering MD5 as a weak digest) and thus apt signature
verification.
This removes the interior NULLs so the array has no interior terminator. Under
HAVE_WOLFSSLthe shake entries are simply absent. MD5 computation staysrefused by
NO_MD5— only name/OID lookup is restored.Verified:
gcry_md_map_name("MD5")resolves again andgpg --check-sigs/apt-key signature verification work.