Message digests (MD
)¶
OpenSSL’s opaque EVP_MD type enables replacing the built-in digest algorithm implementations. The BCrypt EVP engine supports SHA-1, SHA-256, SHA-384 and SHA-512. These are identified via the identifiers NID_sha1
, NID_sha256
, NID_sha384
and NID_sha512
. All of these are tested in test_bcrypt_sha.cpp
.
As explained in section Customized HMAC key (PKEY), the BCrypt EVP engine provides keyed versions of these digests as well.
Control commands¶
The digests support the EVP_MD_CTRL_MICALG
command, which is documented in the section CONTROLS in the OpenSSL man page. The value returned in p2
has to be freed by the caller using the OPENSSL_free function.
Known issues or limitations¶
See the Wikipedia page on SHA-1 for references discussing the use of SHA-1. Many organizations have recommended its replacement but it is still considered secure for HMAC.