Page 1 of 1
Posted: Wed May 20, 2015 10:11 pm
I was about to add sha512 support to complement sha1, but I notice that we're implementing our own functions instead of calling the ones in the openssl library. Is there a valid reason for that?
Posted: Thu May 21, 2015 9:25 am
When we added sha1 I just followed the same pattern as md5 (by using an open source imp that was readily available - Scott implemented md5 by hand way back). This means they don't have a dependence on revsecurity - which these days probably doesn't matter so much anymore since the world is/has moved to ssl.
There's a pull request with a spec for digest functions I wrote a while ago here:
The main issue is choosing appropriate function names - sha256 / sha512 are somewhat ambiguous when you consider the current (1,2) and soon to come sha3 algorithms.
Posted: Sun Jun 28, 2015 6:30 am
I've looked over the pull request, and that all seems reasonable. I don't have strong opinions about the proposed syntax.
Looking at the build files in the libopenssl directory, it seems that we're grabbing the latest openssl library, and that's good. It's not clear to me what happens after that, though... when a standalone app is built are we just using links to whatever openssl library is installed on the target computer or are we bundling the openssl library from the build computer? If it's the latter, then standalone apps won't get security patches.
Posted: Fri Jul 10, 2015 9:36 pm
mwieder wrote:If it's the latter, then standalone apps won't get security patches.
Sry that I interfere here, I'm by far not qualified.
But do StandAlones get patches now, actually?
Besides, I'm using libHash-Hmac by Mark Smith now, will this become obsolete? Will you be compatible with (other handler names at least)?
Thx, and have fun!