Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

EVP_sha256() does not appear in OpenSSL until 0.9.7h, not available by default until 0.9.8 #8464

wants to merge 1 commit into from


Copy link

@asedeno asedeno commented Feb 16, 2022

We can't use OpenSSL's SHA256 implementation in versions that predate it, and the EVP_sha256() function does not appear until OpenSSL 0.9.7h. It is possible it was not enabled by default until later, and someone else can propose moving this threshold up further, but this is the minimum lower bound for this to work.

Copy link

bagder commented Feb 16, 2022

Does it really appear in 0.9.7h? this email seems to suggest that it might not. I presume you're using a version older than 0.9.7h yourself? (I also presume you're fully aware that you really should upgrade to a more modern version)

@bagder bagder added the TLS label Feb 16, 2022
Copy link
Contributor Author

asedeno commented Feb 16, 2022

My determination was made using a git checkout of the openssl repo, checking out the various tags, and grepping for EVP_sha256. There were zero results before 0.9.7h, and consistent results from 0.9.7h to 0.9.7m, which is why I say 0.9.7h is a lower bound below which it will definitely not work.

I saw that thread, but it was not clear to me in the changelogs from 0.9.7h to 0.9.7m when something relevant may have changed.

The ancient platform I'm building git (and for git, curl) for is an old Solaris installation with a bunch of packages installed at /usr/athena/ and OpenSSL 0.9.7d. It's not mine to upgrade.

Copy link
Contributor Author

asedeno commented Feb 16, 2022

You know, building these versions won't take that long. I'll try to pin it down better.

Copy link
Contributor Author

asedeno commented Feb 17, 2022

Okay, I tested with a tiny program,

#include <stdio.h>
#include <openssl/evp.h>

int main(char* argv, int argc) {
     printf("%p\n", EVP_sha256);
     return 0;

and compiled and it, statically linking against libssl.a and libcrypto.a from builds of OpenSSL 0.9.7h-0.9.7m and 0.9.8 with default config (no-asm for 0.9.8, because I needed it to build). Only 0.9.8 worked.

$ cc -I./openssl-0.9.7m/include sha256.c ./openssl-0.9.7m/libcrypto.a ./openssl-0.9.7m/libssl.a && ldd ./a.out && ./a.out 
sha256.c: In function ‘main’:
sha256.c:5:21: error: ‘EVP_sha256’ undeclared (first use in this function); did you mean ‘EVP_sha1’?
      printf("%p\n", EVP_sha256);
sha256.c:5:21: note: each undeclared identifier is reported only once for each function it appears in
 $ cc -I./openssl-0.9.8/include sha256.c ./openssl-0.9.8/libcrypto.a ./openssl-0.9.8/libssl.a && ldd ./a.out && ./a.out (0x00007fff165a2000) => /lib/x86_64-linux-gnu/ (0x00007f123f311000)
        /lib64/ (0x00007f123f55f000)

So I think we want to push that back up to 0.9.8 and will update the patch accordingly.

EVP_sha256() does not appear in the OpenSSL source before 0.9.7h, and
does not get built by default until 0.9.8, so trying to use it for all
0.9.7 is wrong, and before 0.9.8 is unreliable.
@asedeno asedeno changed the title EVP_sha256() does not appear in OpenSSL until 0.9.7h EVP_sha256() does not appear in OpenSSL until 0.9.7h, not available by default until 0.9.8 Feb 17, 2022
@jay jay closed this in 477a2bf Feb 17, 2022
Copy link

jay commented Feb 17, 2022


@asedeno asedeno deleted the sha256_and_old_openssl branch February 17, 2022 07:29
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Successfully merging this pull request may close these issues.

None yet

3 participants