|
|
Boost : |
From: Ruben Perez (rubenperez038_at_[hidden])
Date: 2024-12-12 20:01:13
On Thu, 12 Dec 2024 at 14:27, Peter Dimov <pdimov_at_[hidden]> wrote:
>
> Ruben Perez wrote:
> > As a potential user mainly interested in the "hashing untyped byte sequences"
> > use case (involving SHA2), do you think migrating from OpenSSL to
> > Boost.Hash2 would be detrimental for security at this point? If the answer is
> > yes, is there a way to remediate this (even after the library gets accepted)? Or
> > is this just not the main use case of the library?
> >
> > The use case involves generating digests for a network protocol (MySQL).
> >
> > I'd like to know both Tom's and Peter's opinions.
>
> Can you please point me to the source code portions in Boost.MySQL that
> implement SHA-2 authentication?
>
>
Current code (using OpenSSL):
https://github.com/boostorg/mysql/blob/c438f26731e36c2db6457705ec5dbb9f7657db2a/include/boost/mysql/impl/internal/auth/auth.ipp#L101-L114
Code using the proposed library:
https://github.com/boostorg/mysql/pull/389/files#diff-1ce941e5f315c38f0eb53e030e8752ae5d1209b702305b60e22024c138e29be5R45-R58
Protocol docs: https://dev.mysql.com/doc/dev/mysql-server/8.4.3/page_caching_sha2_authentication_exchanges.html
It's somehow similar in spirit to SCRAM-SHA256, but built in-house by MySQL.
Boost list run by bdawes at acm.org, gregod at cs.rpi.edu, cpdaniel at pacbell.net, john at johnmaddock.co.uk