Skip to content

md: fix name/OID lookup for MD5 and post-shake digests (digest_list interior NULLs)#31

Open
MarkAtwood wants to merge 1 commit into
wolfSSL:libgcrypt-1.11.0-wolfCrypt-fips-readyfrom
MarkAtwood:fix/md5-name-lookup-interior-nulls
Open

md: fix name/OID lookup for MD5 and post-shake digests (digest_list interior NULLs)#31
MarkAtwood wants to merge 1 commit into
wolfSSL:libgcrypt-1.11.0-wolfCrypt-fips-readyfrom
MarkAtwood:fix/md5-name-lookup-interior-nulls

Conversation

@MarkAtwood

Copy link
Copy Markdown

Fixes #30.

digest_list[] is a NULL-terminated scan array; under HAVE_WOLFSSL it had four
interior NULL placeholders (for the unavailable shake specs) that terminate
spec_from_name()/spec_from_oid() early, making MD5 and every post-shake
digest unresolvable by name/OID. gcry_md_map_name("MD5") returned 0, which
breaks GnuPG (aborts registering MD5 as a weak digest) and thus apt signature
verification.

This removes the interior NULLs so the array has no interior terminator. Under
HAVE_WOLFSSL the shake entries are simply absent. MD5 computation stays
refused by NO_MD5 — only name/OID lookup is restored.

Verified: gcry_md_map_name("MD5") resolves again and gpg --check-sigs /
apt-key signature verification work.

digest_list[] is a NULL-terminated array walked by spec_from_name() and
spec_from_oid(). Under HAVE_WOLFSSL the SHA-3 block substituted four interior
NULL placeholders for the unavailable shake specs. An interior NULL terminates
the scan early, so every digest listed after it (md5, md2, md4, rmd160, ...)
became unresolvable by name/OID; gcry_md_map_name("MD5") returned 0. That
breaks consumers referencing digests by name -- GnuPG registers MD5 as a
default weak digest at startup and aborts when the lookup fails, breaking gpg
and apt signature verification.

Remove the interior NULLs so the array has no interior terminator; under
HAVE_WOLFSSL the shake entries are simply absent. Restores name and OID
resolution for MD5 and all post-shake digests. Does not re-enable MD5
computation (NO_MD5 still refuses it) -- only name/OID lookup.

Fixes wolfSSL#30
Copilot AI review requested due to automatic review settings July 3, 2026 02:53

Copilot AI left a comment

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Pull request overview

Fixes digest name/OID resolution in WolfSSL builds by removing interior NULL entries from the digest_list[] scan array so spec_from_name() / spec_from_oid() don’t terminate early. This restores gcry_md_map_name("MD5") (and other post-SHAKE digests) lookup behavior without re-enabling MD5 computation.

Changes:

  • Removed the HAVE_WOLFSSL #else branch that inserted four interior NULL placeholders for unavailable SHAKE/cSHAKE specs.
  • Ensured digest_list[] remains a properly NULL-terminated array with no interior terminators under HAVE_WOLFSSL.

💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

2 participants