On Thu, 12 Dec 2024 at 14:27, Peter Dimov
Ruben Perez wrote:
As a potential user mainly interested in the "hashing untyped byte sequences" use case (involving SHA2), do you think migrating from OpenSSL to Boost.Hash2 would be detrimental for security at this point? If the answer is yes, is there a way to remediate this (even after the library gets accepted)? Or is this just not the main use case of the library?
The use case involves generating digests for a network protocol (MySQL).
I'd like to know both Tom's and Peter's opinions.
Can you please point me to the source code portions in Boost.MySQL that implement SHA-2 authentication?
Current code (using OpenSSL): https://github.com/boostorg/mysql/blob/c438f26731e36c2db6457705ec5dbb9f7657d... Code using the proposed library: https://github.com/boostorg/mysql/pull/389/files#diff-1ce941e5f315c38f0eb53e... Protocol docs: https://dev.mysql.com/doc/dev/mysql-server/8.4.3/page_caching_sha2_authentic... It's somehow similar in spirit to SCRAM-SHA256, but built in-house by MySQL.