Hi,

Support for SHA-224 SHA-256-SHA-384 and SHA-512 hashes has been added to rlm_pap. The correct digest algo is determined by the length of the value of SHA2-Password.

28 bytes - SHA-224
32 bytes - SHA-256
48 bytes - SHA-384
64 bytes - SHA-512

Wow, good news indeed!

So, all those different lengths are so to speak "multiplexed" into one single "SHA2-Password" attribute? Also, what is the encoding? base64?

A kinda logical next step would be to allow salted SHA2-x. The multiplexing wouldn't work there though due to unpredictable salt length...

Stefan


Password-With-Header prefixes {sha2},{sha256},{sha512} will all result in the Password-With-Header value being copied to a SHA2-Password attribute.  {sha256},{sha512} match the password headers used by the slapd-sha2 module developed for OpenLDAP.

Don't think many of the other hashes in OpenSSL's EVP_MD API are either widely used or appropriate for hashing passwords. But if someone knows differently then let me know.

The equivalent xlats have also been added for SHA-256 and SHA-512,  I don't think SHA-224 or SHA-384 are widely used enough to justify adding them, but it's only a two line patch if someone thinks differently.

Does anyone have a burning need for any of the other hashes supported by EVP_MD?

-Arran

Arran Cudbard-Bell <a.cudbardb@freeradius.org>
FreeRADIUS Development Team

FD31 3077 42EC 7FCD 32FE 5EE2 56CF 27F9 30A8 CAA2



-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/devel.html