EVP Message Digest requests

Stefan Winter stefan.winter at restena.lu
Thu Feb 6 20:46:36 CET 2014


> Support for SHA-224 SHA-256-SHA-384 and SHA-512 hashes has been added
> to rlm_pap. The correct digest algo is determined by the length of the
> value of SHA2-Password.
> 28 bytes - SHA-224
> 32 bytes - SHA-256
> 48 bytes - SHA-384
> 64 bytes - SHA-512

Wow, good news indeed!

So, all those different lengths are so to speak "multiplexed" into one
single "SHA2-Password" attribute? Also, what is the encoding? base64?

A kinda logical next step would be to allow salted SHA2-x. The
multiplexing wouldn't work there though due to unpredictable salt length...


> Password-With-Header prefixes {sha2},{sha256},{sha512} will all result
> in the Password-With-Header value being copied to a SHA2-Password
> attribute.  {sha256},{sha512} match the password headers used by the
> slapd-sha2 module developed for OpenLDAP.
> Don't think many of the other hashes in OpenSSL's EVP_MD API are
> either widely used or appropriate for hashing passwords. But if
> someone knows differently then let me know.
> The equivalent xlats have also been added for SHA-256 and SHA-512,  I
> don't think SHA-224 or SHA-384 are widely used enough to justify
> adding them, but it's only a two line patch if someone thinks differently.
> Does anyone have a burning need for any of the other hashes supported
> by EVP_MD?
> -Arran
> Arran Cudbard-Bell <a.cudbardb at freeradius.org
> <mailto:a.cudbardb at freeradius.org>>
> FreeRADIUS Development Team
> FD31 3077 42EC 7FCD 32FE 5EE2 56CF 27F9 30A8 CAA2
> -
> List info/subscribe/unsubscribe? See http://www.freeradius.org/list/devel.html

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.freeradius.org/pipermail/freeradius-devel/attachments/20140206/fe0073db/attachment.html>

More information about the Freeradius-Devel mailing list