Hi,
Support for SHA-224 SHA-256-SHA-384 and SHA-512 hashes has been added to rlm_pap. The correct digest algo is determined by the length of the value of SHA2-Password.
28 bytes - SHA-224 32 bytes - SHA-256 48 bytes - SHA-384 64 bytes - SHA-512
Wow, good news indeed! So, all those different lengths are so to speak "multiplexed" into one single "SHA2-Password" attribute? Also, what is the encoding? base64? A kinda logical next step would be to allow salted SHA2-x. The multiplexing wouldn't work there though due to unpredictable salt length... Stefan
Password-With-Header prefixes {sha2},{sha256},{sha512} will all result in the Password-With-Header value being copied to a SHA2-Password attribute. {sha256},{sha512} match the password headers used by the slapd-sha2 module developed for OpenLDAP.
Don't think many of the other hashes in OpenSSL's EVP_MD API are either widely used or appropriate for hashing passwords. But if someone knows differently then let me know.
The equivalent xlats have also been added for SHA-256 and SHA-512, I don't think SHA-224 or SHA-384 are widely used enough to justify adding them, but it's only a two line patch if someone thinks differently.
Does anyone have a burning need for any of the other hashes supported by EVP_MD?
-Arran
Arran Cudbard-Bell <a.cudbardb@freeradius.org <mailto:a.cudbardb@freeradius.org>> FreeRADIUS Development Team
FD31 3077 42EC 7FCD 32FE 5EE2 56CF 27F9 30A8 CAA2
- List info/subscribe/unsubscribe? See http://www.freeradius.org/list/devel.html