ssl

Moderators: FourthWorld, heatherlaine, Klaus, kevinmiller, LCMark

Locked
mwieder
VIP Livecode Opensource Backer
VIP Livecode Opensource Backer
Posts: 3581
Joined: Mon Jan 22, 2007 7:36 am
Location: Berkeley, CA, US
Contact:

ssl

Post by mwieder » Wed May 20, 2015 10:11 pm

I was about to add sha512 support to complement sha1, but I notice that we're implementing our own functions instead of calling the ones in the openssl library. Is there a valid reason for that?

LCMark
Livecode Staff Member
Livecode Staff Member
Posts: 1206
Joined: Thu Apr 11, 2013 11:27 am

Re: ssl

Post by LCMark » Thu May 21, 2015 9:25 am

When we added sha1 I just followed the same pattern as md5 (by using an open source imp that was readily available - Scott implemented md5 by hand way back). This means they don't have a dependence on revsecurity - which these days probably doesn't matter so much anymore since the world is/has moved to ssl.

There's a pull request with a spec for digest functions I wrote a while ago here:

https://github.com/runrev/livecode/pull/1897

The main issue is choosing appropriate function names - sha256 / sha512 are somewhat ambiguous when you consider the current (1,2) and soon to come sha3 algorithms.

mwieder
VIP Livecode Opensource Backer
VIP Livecode Opensource Backer
Posts: 3581
Joined: Mon Jan 22, 2007 7:36 am
Location: Berkeley, CA, US
Contact:

Re: ssl

Post by mwieder » Sun Jun 28, 2015 6:30 am

I've looked over the pull request, and that all seems reasonable. I don't have strong opinions about the proposed syntax.

Looking at the build files in the libopenssl directory, it seems that we're grabbing the latest openssl library, and that's good. It's not clear to me what happens after that, though... when a standalone app is built are we just using links to whatever openssl library is installed on the target computer or are we bundling the openssl library from the build computer? If it's the latter, then standalone apps won't get security patches.

AxWald
Posts: 578
Joined: Thu Mar 06, 2014 2:57 pm

Re: ssl

Post by AxWald » Fri Jul 10, 2015 9:36 pm

Hi,
mwieder wrote:If it's the latter, then standalone apps won't get security patches.
Sry that I interfere here, I'm by far not qualified.
But do StandAlones get patches now, actually?

Besides, I'm using libHash-Hmac by Mark Smith now, will this become obsolete? Will you be compatible with (other handler names at least)?

Thx, and have fun!
All code published by me here was created with Community Editions of LC (thus is GPLv3).
If you use it in closed source projects, or for the Apple AppStore, or with XCode
you'll violate some license terms - read your relevant EULAs & Licenses!

Locked

Return to “Engine Contributors”