Newsgroups: php.internals Path: news.php.net Xref: news.php.net php.internals:20048 Return-Path: Mailing-List: contact internals-help@lists.php.net; run by ezmlm Delivered-To: mailing list internals@lists.php.net Received: (qmail 38785 invoked by uid 1010); 16 Nov 2005 02:17:09 -0000 Delivered-To: ezmlm-scan-internals@lists.php.net Delivered-To: ezmlm-internals@lists.php.net Received: (qmail 38770 invoked from network); 16 Nov 2005 02:17:09 -0000 Received: from unknown (HELO lists.php.net) (127.0.0.1) by localhost with SMTP; 16 Nov 2005 02:17:09 -0000 X-Host-Fingerprint: 69.225.174.131 69-225-174-131.ded.pacbell.net Windows 2000 SP2+, XP SP1 (seldom 98 4.10.2222) Received: from ([69.225.174.131:51516] helo=x.win.covalent.net) by pb1.pair.com (ecelerity 2.0 beta r(6323M)) with SMTP id A7/8C-07637-5A69A734 for ; Tue, 15 Nov 2005 21:17:09 -0500 Received: from [192.168.0.21] ([24.13.128.132]) by x.win.covalent.net over TLS secured channel with Microsoft SMTPSVC(5.0.2195.6713); Tue, 15 Nov 2005 18:15:05 -0800 Message-ID: <437A9647.3030108@rowe-clan.net> Date: Tue, 15 Nov 2005 20:15:35 -0600 User-Agent: Mozilla Thunderbird 1.0.7-1.1.fc3 (X11/20050929) X-Accept-Language: en-us, en MIME-Version: 1.0 To: Sara Golemon CC: internals@lists.php.net References: <20051115221143.GA28082@hardened-php.net> <003d01c5ea4d$61bbdbd0$5c8be5a9@ohr.berkeley.edu> In-Reply-To: <003d01c5ea4d$61bbdbd0$5c8be5a9@ohr.berkeley.edu> Content-Type: text/plain; charset=UTF-8; format=flowed Content-Transfer-Encoding: 7bit X-OriginalArrivalTime: 16 Nov 2005 02:15:05.0312 (UTC) FILETIME=[8F0D3600:01C5EA53] Subject: Re: [PHP-DEV] Re: PHP 5.1.0 - sha256() and sha256_file() support From: wrowe@rowe-clan.net ("William A. Rowe, Jr.") Sara Golemon wrote: >>>with MD5 and SHA1 more or less broken > > Overstatement much? > > I've had implementations of sha256,384, and 512 lying about for months now > (possibly over a year), but was told they didn't have a place in core since > mhash provided the functionality (A statement I recall agreeing with at the > time fwiw). What changed? One consideration, if one wanted to deploy PHP in a FIPS compliant manner, is that reimplementations of these algorithms is not acceptable. One clean solution if linked against OpenSSL is to dispatch sha256/384/512 to those certified algorithms. But in any case, all three certainly make sense. Adding sha256 alone sure seems like a false start.