ssl

Moderators: Klaus, FourthWorld, heatherlaine, kevinmiller, LCMark

ssl

Postby mwieder » Wed May 20, 2015 10:11 pm

I was about to add sha512 support to complement sha1, but I notice that we're implementing our own functions instead of calling the ones in the openssl library. Is there a valid reason for that?
mwieder
VIP Livecode Opensource Backer
VIP Livecode Opensource Backer
 
Posts: 2561
Joined: Mon Jan 22, 2007 7:36 am
Location: Berkeley, CA, US

Re: ssl

Postby LCMark » Thu May 21, 2015 9:25 am

When we added sha1 I just followed the same pattern as md5 (by using an open source imp that was readily available - Scott implemented md5 by hand way back). This means they don't have a dependence on revsecurity - which these days probably doesn't matter so much anymore since the world is/has moved to ssl.

There's a pull request with a spec for digest functions I wrote a while ago here:

https://github.com/runrev/livecode/pull/1897

The main issue is choosing appropriate function names - sha256 / sha512 are somewhat ambiguous when you consider the current (1,2) and soon to come sha3 algorithms.
LCMark
Livecode Staff Member
Livecode Staff Member
 
Posts: 927
Joined: Thu Apr 11, 2013 11:27 am

Re: ssl

Postby mwieder » Sun Jun 28, 2015 6:30 am

I've looked over the pull request, and that all seems reasonable. I don't have strong opinions about the proposed syntax.

Looking at the build files in the libopenssl directory, it seems that we're grabbing the latest openssl library, and that's good. It's not clear to me what happens after that, though... when a standalone app is built are we just using links to whatever openssl library is installed on the target computer or are we bundling the openssl library from the build computer? If it's the latter, then standalone apps won't get security patches.
mwieder
VIP Livecode Opensource Backer
VIP Livecode Opensource Backer
 
Posts: 2561
Joined: Mon Jan 22, 2007 7:36 am
Location: Berkeley, CA, US

Re: ssl

Postby AxWald » Fri Jul 10, 2015 9:36 pm

Hi,

mwieder wrote:If it's the latter, then standalone apps won't get security patches.


Sry that I interfere here, I'm by far not qualified.
But do StandAlones get patches now, actually?

Besides, I'm using libHash-Hmac by Mark Smith now, will this become obsolete? Will you be compatible with (other handler names at least)?

Thx, and have fun!
Livecode programming until the cat hits the fan ...
AxWald
 
Posts: 280
Joined: Thu Mar 06, 2014 2:57 pm


Return to Engine Contributors

Who is online

Users browsing this forum: No registered users and 1 guest