From 0984ca854ce4b9fddbf1dc7503058406ded6e2cc Mon Sep 17 00:00:00 2001
From: Andrew Wilcox <AWilcox@Wilcox-Tech.com>
Date: Sun, 18 Oct 2015 11:19:36 -0500
Subject: [PATCH] package: use SHA256 for signature instead of SHA1
---
src/apk_blob.h | 2 +-
src/package.c | 8 ++------
2 files changed, 3 insertions(+), 7 deletions(-)
diff --git a/src/apk_blob.h b/src/apk_blob.h
index 2d2e30e..a879d27 100644
--- a/src/apk_blob.h
+++ b/src/apk_blob.h
@@ -41,7 +41,7 @@ extern apk_blob_t apk_null_blob;
/* Internal cointainer for MD5 or SHA1 */
struct apk_checksum {
- unsigned char data[20];
+ unsigned char data[40];
unsigned char type;
};
diff --git a/src/package.c b/src/package.c
index 24a4f94..14993b3 100644
--- a/src/package.c
+++ b/src/package.c
@@ -570,8 +570,7 @@ int apk_sign_ctx_process_file(struct apk_sign_ctx *ctx,
if (ctx->keys_fd < 0)
return 0;
- if (strncmp(&fi->name[6], "RSA.", 4) == 0 ||
- strncmp(&fi->name[6], "DSA.", 4) == 0) {
+ if (strncmp(&fi->name[6], "RSA.", 4) == 0) {
int fd = openat(ctx->keys_fd, &fi->name[10], O_RDONLY|O_CLOEXEC);
BIO *bio;
@@ -581,10 +580,7 @@ int apk_sign_ctx_process_file(struct apk_sign_ctx *ctx,
bio = BIO_new_fp(fdopen(fd, "r"), BIO_CLOSE);
ctx->signature.pkey = PEM_read_bio_PUBKEY(bio, NULL, NULL, NULL);
if (ctx->signature.pkey != NULL) {
- if (fi->name[6] == 'R')
- ctx->md = EVP_sha1();
- else
- ctx->md = EVP_dss1();
+ ctx->md = EVP_sha256();
}
BIO_free(bio);
} else
--
2.7.0