Skip to content

Migrate hash.cc from deprecated SHA256_* to EVP API #489

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Open
mmorel-35 wants to merge 1 commit into
base: main
Choose a base branch
from
+28 −8
Open

Migrate hash.cc from deprecated SHA256_* to EVP API #489

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
1 commit
Select commit
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
34 changes: 27 additions & 7 deletions src/hash.cc
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -17,7 +17,7 @@
#include <string>
#include <vector>

#include <openssl/sha.h>
#include <openssl/evp.h>

namespace proxy_wasm {

Expand All @@ -37,13 +37,33 @@ std::string BytesToHex(const std::vector<uint8_t> &bytes) {
} // namespace

std::vector<uint8_t> Sha256(const std::vector<std::string_view> &parts) {
uint8_t sha256[SHA256_DIGEST_LENGTH];
SHA256_CTX sha_ctx;
SHA256_Init(&sha_ctx);
for (auto part : parts) {
SHA256_Update(&sha_ctx, part.data(), part.size());
uint8_t sha256[32]; // SHA-256 produces 32 bytes
Copy link
Contributor

@mpwarres mpwarres Jan 20, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

How about using EVP_MAX_MD_SIZE here, just to avoid hardcoding a value and having to document the assumption.

unsigned int hash_len = 0;

EVP_MD_CTX *hash_ctx = EVP_MD_CTX_new();
if (hash_ctx == nullptr) {
return std::vector<uint8_t>();
}
Copy link
Contributor

@mpwarres mpwarres Jan 20, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

optional: consider using absl::Cleanup to guarantee the EVP_MD_CTX_free call at end of scope, and not have to maintain/check hash_ok, i.e. something like:

absl::Cleanup free_ctx = [hash_ctx] { EVP_MD_CTX_free(hash_ctx); }
if (EVP_DigestInit_ex(hash_ctx, EVP_sha256(), nullptr) == 0) {
  return std::vector<uint8_t>();
}
for (auto part : parts) {
  if (EVP_DigestUpdate(hash_ctx, part.data(), part.size()) == 0) {
     return std::vector<uint8_t>();
  }
}
if (EVP_DigestFinal_ex(hash_ctx, sha256, &hash_len) == 0) {
  return std::vector<uint8_t>();
}
return std::vector<uint8_t>(sha256, sha256 + hash_len);


bool hash_ok = (EVP_DigestInit_ex(hash_ctx, EVP_sha256(), nullptr) != 0);
if (hash_ok) {
for (auto part : parts) {
if (EVP_DigestUpdate(hash_ctx, part.data(), part.size()) == 0) {
hash_ok = false;
break;
}
}
}
if (hash_ok) {
hash_ok = (EVP_DigestFinal_ex(hash_ctx, sha256, &hash_len) != 0);
}
SHA256_Final(sha256, &sha_ctx);

EVP_MD_CTX_free(hash_ctx);

if (!hash_ok || hash_len != 32) {
Copy link
Contributor

@mpwarres mpwarres Jan 20, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Rather than hardcoding 32, suggest return std::vector<uint8_t>(sha256, sha256 + hash_len);

return std::vector<uint8_t>();
}

return std::vector<uint8_t>(std::begin(sha256), std::end(sha256));
}

Expand Down
2 changes: 1 addition & 1 deletion src/hash.h
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -17,7 +17,7 @@
#include <string>
#include <vector>

#include <openssl/sha.h>
#include <openssl/evp.h>

namespace proxy_wasm {

Expand Down
Loading