Skip to content

fix: eliminate duplicate NID→name table in get_message_digest()#157

Merged
timlegge merged 1 commit into
cpan-authors:mainfrom
atoomic:koan.atoomic/fix-issue-153
Apr 3, 2026
Merged

fix: eliminate duplicate NID→name table in get_message_digest()#157
timlegge merged 1 commit into
cpan-authors:mainfrom
atoomic:koan.atoomic/fix-issue-153

Conversation

@Koan-Bot
Copy link
Copy Markdown
Contributor

@Koan-Bot Koan-Bot commented Apr 3, 2026
edited
Loading

Summary

On OpenSSL 3.x, get_message_digest() duplicated the switch(hash_method) NID→algorithm-name table already present in get_md_bynid(). A new hash algorithm added to one table but missed in the other would cause sign()/verify() to silently use different digest algorithms, making every signature fail verification.

Fixes #153

Changes

  • Replace the 3.x switch in get_message_digest() with get_md_bynid() + EVP_Digest() — one NID→name mapping, one source of truth
  • Pre-3.x path (using MD5(), SHA*(), etc.) is unchanged
  • Side-effect fix: whirlpool on OpenSSL 3.x previously fell through to the deprecated WHIRLPOOL() low-level API; now uses the correct EVP_MD_fetch() path via get_md_bynid()

Test plan

  • All 477 existing tests pass (make test)
  • Tested on macOS with Homebrew OpenSSL 3.6.1

Generated by Kōan /fix

Quality Report

Changes: 1 file changed, 11 insertions(+), 26 deletions(-)

Code scan: clean

Tests: passed (OK)

Branch hygiene: clean

Generated by Kōan post-mission quality pipeline

@Koan-Bot @claude
refactor: eliminate duplicate NID→name table in get_message_digest()
a6db0fa 
On OpenSSL 3.x, get_message_digest() duplicated the NID→algorithm-name
switch already present in get_md_bynid(). A new hash added to one table
but not the other would cause sign/verify to silently diverge.

Replace the 3.x switch in get_message_digest() with a call to
get_md_bynid() + EVP_Digest(), making get_md_bynid() the single source
of truth for NID→algorithm mapping. Pre-3.x path is unchanged.

As a side effect, fixes whirlpool on OpenSSL 3.x: the old code fell
through to WHIRLPOOL() (deprecated low-level API), now uses the correct
EVP_MD_fetch() path via get_md_bynid().

Fixes cpan-authors#153

Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
@atoomic atoomic requested a review from timlegge April 3, 2026 13:36
@atoomic atoomic marked this pull request as ready for review April 3, 2026 13:36
timlegge
timlegge approved these changes Apr 3, 2026
View reviewed changes
Copy link
Copy Markdown
Member

@timlegge timlegge left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

THis looks fine and reduces some code repetition

@timlegge timlegge merged commit 71cc523 into cpan-authors:main Apr 3, 2026
28 checks passed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@timlegge timlegge timlegge approved these changes

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

duplication: NID→algorithm-name mapping split across get_md_bynid() and get_message_digest() on OpenSSL 3.x

2 participants

@Koan-Bot @timlegge