Skip to content
/ server Public

MDEV-31669: use sha2-256 as a digest instead of md5 #4573

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Open
MohamedM216 wants to merge 2 commits into
base: main
Choose a base branch
from
Open

MDEV-31669: use sha2-256 as a digest instead of md5 #4573

MohamedM216 wants to merge 2 commits into from

Conversation

@MohamedM216
Copy link
Contributor

@MohamedM216 MohamedM216 commented Jan 21, 2026
edited
Loading

Jira Issue number for this PR: MDEV-31669

I followed mysql implementation as suggested in jira.

PERFORMANCE SCHEMA MD5 DIGEST NEEDS TO CHANGE DIGEST FOR FIPS
COMPLIANCE
Before this fix, DIGEST hashes are computed using the MD5 hash.
MD5 is not FIPS compliant.
This fix replaces the MD5 hash with SHA256 (which is compliant).
As a result, DIGEST columns are changed from VARCHAR(32) to VARCHAR(64)

@gkodinov gkodinov added the External Contribution All PRs from entities outside of MariaDB Foundation, Corporation, Codership agreements. label Jan 22, 2026
gkodinov
gkodinov requested changes Jan 22, 2026
View reviewed changes
Copy link
Member

@gkodinov gkodinov left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

This is a preliminary review. Right now there's no strong opposition against removing MD5 from this. But the choice of a replacement hash function is yet to be determined. I can see the logic in Sergei's argument that using a crypto hash for a non-crypto purpose is kind of a mismatch. But I will leave that discussion for the final review now.

First of all: please make sure the change compiles and runs all buildbot test in a satisfactory way.

sql/sql_digest.cc
#include "mariadb.h"
#include "my_md5.h"
#include "sha2.h" // SHA256
#include "unireg.h"
Copy link
Member

@gkodinov gkodinov Jan 22, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

sha2 is causing a compile error. Please fix that.

Copy link
Contributor Author

@MohamedM216 MohamedM216 Jan 22, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

The sha2.h header exists locally on my machine, so following the mysql implementation worked fine for my local build. However, I switched to evp.h to ensure a consistent and portable header across different build environments.

@MohamedM216 MohamedM216 force-pushed the feat-use-sha2-256/MDEV-31669 branch from 899f3b3 to 3e7b460 Compare January 22, 2026 22:33
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@gkodinov gkodinov gkodinov requested changes

Assignees

No one assigned

Labels

External Contribution All PRs from entities outside of MariaDB Foundation, Corporation, Codership agreements.

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@MohamedM216 @gkodinov