w3m icon indicating copy to clipboard operation
w3m copied to clipboard

Published 20 hours ago verified publisher icon tats

MD5 deprecated in openssl 3.0

Open nsanmartin opened this issue 2 years ago • 2 comments

The function unsigned char *MD5(const unsigned char *d, size_t n, unsigned char *md) from openssl is deprecated ad therefore generates lots of warnings in the build when compiling against openssl 3.0. According to https://wiki.openssl.org/index.php/EVP_Message_Digests it should be implemented similarly to this:

void digest_message(const unsigned char *message, size_t message_len, unsigned char *md) {

    unsigned int digest_len = MD5_DIGEST_LENGTH;

	EVP_MD_CTX *mdctx;

	if((mdctx = EVP_MD_CTX_new()) == NULL)
		handleErrors();

	if(1 != EVP_DigestInit_ex(mdctx, EVP_sha256(), NULL))
		handleErrors();

	if(1 != EVP_DigestUpdate(mdctx, message, message_len))
		handleErrors();

	if((md = (unsigned char *)OPENSSL_malloc(EVP_MD_size(EVP_md5()))) == NULL)
		handleErrors();

	if(1 != EVP_DigestFinal_ex(mdctx, md, &digest_len))
		handleErrors();

	EVP_MD_CTX_free(mdctx);
}

I was trying to test replacing present usages of MD5 with that, but on the one hand I'm not sure about what method w3m uses to "handleErrors" (I see for example that in some places is just used exit(1)). On the other hand, is there a proper way to test such change (MD5 is used in file.c)?

nsanmartin avatar Nov 18 '22 02:11 nsanmartin

On Thu, Nov 17, 2022 at 06:22:46PM -0800, Nicolás San Martín wrote:

The function unsigned char *MD5(const unsigned char *d, size_t n, unsigned char *md) from openssl is deprecated ad therefore generates lots of warnings in the build when compiling against openssl 3.0. According to https://wiki.openssl.org/index.php/EVP_Message_Digests it should be implemented similarly to this:

void digest_message(const unsigned char *message, size_t message_len, unsigned char *md) {

    unsigned int digest_len = MD5_DIGEST_LENGTH;

	EVP_MD_CTX *mdctx;

	if((mdctx = EVP_MD_CTX_new()) == NULL)
		handleErrors();

	if(1 != EVP_DigestInit_ex(mdctx, EVP_sha256(), NULL))
		handleErrors();

	if(1 != EVP_DigestUpdate(mdctx, message, message_len))
		handleErrors();

	if((md = (unsigned char *)OPENSSL_malloc(EVP_MD_size(EVP_md5()))) == NULL)
		handleErrors();

	if(1 != EVP_DigestFinal_ex(mdctx, md, &digest_len))
		handleErrors();

	EVP_MD_CTX_free(mdctx);
}

I was trying to test replacing present usages of MD5 with that, but on the one hand I'm not sure about what method w3m uses to "handleErrors" (I see for example that in some places is just used exit(1)).

There is no coherent way for error handling. But usually it is best to abort the operation and show an error to the user, see disp_err_message().

How were errors handled with the old functions? Can't we keep it that way? Would it help if your new digest_message would return an error?

Thinking about it, digest_message() should return an error. It's not the job of a digest function to show errors. Let's decide what to do in case of an error where digest_message() is used.

On the other hand, is there a proper way to test such change (MD5 is used in file.c)?

Not not really. The best way to test at the moment is to provide a patch and pray that some people will use it in their build. :)

I have some regression tests running every night. I will see if I can cover the code that uses the MD5 functions there (or if it already covered).

rkta avatar Nov 21 '22 08:11 rkta

On Mon, Nov 21, 2022 at 09:36:41AM +0100, Rene Kita wrote:

On Thu, Nov 17, 2022 at 06:22:46PM -0800, Nicolás San Martín wrote:

The function unsigned char *MD5(const unsigned char *d, size_t n, unsigned char *md) from openssl is deprecated ad therefore generates lots of warnings in the build when compiling against openssl 3.0.

I have a patch for this and will create a PR in the coming days.

rkta avatar Aug 08 '23 16:08 rkta