F 1483 : Fix SHA-1 prefix match overwriting SHA-256/384/512 output

[miyazakh]

Summary

• XSTRNCMP(alg, "sha", 3) in wolfCLU_hash and wolfCLU_hashSetup
  matched "sha256", "sha384", and "sha512", causing SHA-1 to overwrite
  the correct digest and size
• Fixed by adding XSTRLEN(alg) == 3 guard to the SHA-1 branch in
  clu_hash.c and clu_hash_setup.c
• Fixed algCheck loop in clu_hash_setup.c to use XSTRCMP for
  exact matching instead of prefix matching

Depend on : #211 (Fixed)
Depend on : #219

[Copilot]

Pull request overview

Fixes an algorithm-selection bug in the CLI hash command where SHA-1 prefix matching could incorrectly override SHA-256/384/512 digest output, and tightens algorithm validation to require exact matches.

Changes:

• Guard SHA-1 selection in wolfCLU_hash / wolfCLU_hashSetup with XSTRLEN(alg) == 3 so only "sha" maps to SHA-1.
• Change hash algorithm validation to exact string matching (XSTRCMP) to avoid prefix-based acceptance.
• Broaden OCSP interop test error-message matching; update clu_x509_sign.c hash-type switch version gating / case handling.

Reviewed changes

Copilot reviewed 4 out of 4 changed files in this pull request and generated 1 comment.

File	Description
src/hash/clu_hash.c	Prevents SHA-1 branch from matching sha256/sha384/sha512 by requiring exact "sha".
src/hash/clu_hash_setup.c	Requires exact algorithm match during argument validation and ensures SHA-1 size only applies to "sha".
tests/ocsp/ocsp-interop-test.sh	Accepts additional common “file not found” phrasing in Test 6 logs.
src/x509/clu_x509_sign.c	Adjusts conditional compilation for unsupported hash-type cases in certificate signing.

---

💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.

[Copilot]

The PR description doesn’t mention this change in certificate-signing hash handling. Also, introducing a new hard-coded wolfSSL version threshold (>= 0x05009000) is inconsistent with the rest of the codebase (which generally gates on > 0x05001000) and drops the previous per-feature guards (e.g., WOLFSSL_SHAKE128/WOLFSSL_SHAKE256). Consider documenting why 5.9.0 is required here, or switching to feature/enum-availability guards to avoid version-specific build regressions.

[Copilot]

Pull request overview

Copilot reviewed 2 out of 2 changed files in this pull request and generated 3 comments.

---

💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.

[Copilot]

Now that exact matching is the goal, consider replacing the XSTRNCMP(..., 3) && XSTRLEN(alg) == 3 pattern with a single exact comparison (e.g., XSTRCMP(alg, \"sha\") == 0). It’s simpler, more readable, and avoids a redundant length check.

Suggested change

	if ((XSTRNCMP(alg, "sha", 3) == 0) && (XSTRLEN(alg) == 3))
	if (XSTRCMP(alg, "sha") == 0)

[Copilot]

Same as in setup: since this branch should only run for the literal algorithm name, prefer an exact compare (e.g., XSTRCMP(alg, \"sha\") == 0) over XSTRNCMP + length guard. This reduces complexity and makes the intent unambiguous.

Suggested change

	if (ret == WOLFCLU_SUCCESS && XSTRNCMP(alg, "sha", 3) == 0
	&& XSTRLEN(alg) == 3) {
	if (ret == WOLFCLU_SUCCESS && XSTRCMP(alg, "sha") == 0) {

[Copilot]

Switching from prefix matching to XSTRCMP changes the CLI’s accepted inputs: previously, a shorter string could match a longer algorithm name (depending on algs[]). If users relied on abbreviations/prefixes, this is a breaking behavior change—consider updating the CLI usage/help text accordingly, or implement a deliberate abbreviation scheme (e.g., accept prefixes only when they resolve uniquely).