From 9e7e2a199b4ada887a3f3459f972ed381ae6d681 Mon Sep 17 00:00:00 2001
From: Richard Alam <ritzalam@gmail.com>
Date: Mon, 11 Dec 2017 11:07:29 -0800
Subject: [PATCH]  - switch how to calc checksum from sha1hex to sha256hex

---
 .../core/apps/breakout/BreakoutApp2x.scala    |  2 +-
 .../api/ParamsProcessorUtil.java              | 19 ++++++++++++++++---
 2 files changed, 17 insertions(+), 4 deletions(-)

diff --git a/akka-bbb-apps/src/main/scala/org/bigbluebutton/core/apps/breakout/BreakoutApp2x.scala b/akka-bbb-apps/src/main/scala/org/bigbluebutton/core/apps/breakout/BreakoutApp2x.scala
index 022bf5fd3b..312fb59e10 100755
--- a/akka-bbb-apps/src/main/scala/org/bigbluebutton/core/apps/breakout/BreakoutApp2x.scala
+++ b/akka-bbb-apps/src/main/scala/org/bigbluebutton/core/apps/breakout/BreakoutApp2x.scala
@@ -42,7 +42,7 @@ object BreakoutRoomsUtil {
   //checksum() -- Return a checksum based on SHA-1 digest
   //
   def checksum(s: String): String = {
-    DigestUtils.sha1Hex(s);
+    DigestUtils.sha256Hex(s);
   }
 
   def calculateChecksum(apiCall: String, baseString: String, sharedSecret: String): String = {
diff --git a/bbb-common-web/src/main/java/org/bigbluebutton/api/ParamsProcessorUtil.java b/bbb-common-web/src/main/java/org/bigbluebutton/api/ParamsProcessorUtil.java
index bb30401ef7..245fd257f7 100755
--- a/bbb-common-web/src/main/java/org/bigbluebutton/api/ParamsProcessorUtil.java
+++ b/bbb-common-web/src/main/java/org/bigbluebutton/api/ParamsProcessorUtil.java
@@ -678,8 +678,15 @@ public class ParamsProcessorUtil {
 			log.warn("Security is disabled in this service. Make sure this is intentional.");
 			return true;
 		}
-        
-		String cs = DigestUtils.shaHex(meetingID + configXML + securitySalt);
+
+		log.info("CONFIGXML CHECKSUM=" + checksum + " length=" + checksum.length());
+
+		String data = meetingID + configXML + securitySalt;
+		String cs = DigestUtils.sha1Hex(data);
+		if (checksum.length() == 64) {
+			cs = DigestUtils.sha256Hex(data);
+			log.info("CONFIGXML SHA256 " + cs);
+		}
 
 		if (cs == null || cs.equals(checksum) == false) {
 			log.info("checksumError: configXML checksum. our: [{}], client: [{}]", cs, checksum);
@@ -704,8 +711,14 @@ public class ParamsProcessorUtil {
 		    queryString = queryString.replace("checksum=" + checksum, "");
 		}
 
-		String cs = DigestUtils.shaHex(apiCall + queryString + securitySalt);
+		log.info("CHECKSUM=" + checksum + " length=" + checksum.length());
 
+		String data = apiCall + queryString + securitySalt;
+		String cs = DigestUtils.sha1Hex(data);
+		if (checksum.length() == 64) {
+			cs = DigestUtils.sha256Hex(data);
+			log.info("SHA256 " + cs);
+		}
 		if (cs == null || cs.equals(checksum) == false) {
 			log.info("query string after checksum removed: [{}]", queryString);
 			log.info("checksumError: query string checksum failed. our: [{}], client: [{}]", cs, checksum);
-- 
GitLab