[erlang-questions] OpenSSL 1.0 removed md2 and this affects Erlang/OTP builds.

[Jesper Louis Andersen]

Just a quick FYI:

A modern Ubuntu (11.10 - will be released later this month) ships with
a more recent OpenSSL library. In this SSL-library it has been decided
to kill md2 as a message digest algorithm, probably due to its
appalling cryptographic strength. This yields a problem with building
the "dev" branch of Erlang/OTP:

gcc -c -o .... /home/jlouis/Projects/otp/erts/emulator/sys/unix crypto.c
crypto.c:46:25: fatal error: openssl/md2.h: No such file or directory
compilation terminated.

specifically in and around the unix crypto.c (crypto module). My guess
is that this problem will begin to crop up shortly after the release,
mainly because people will like to build their software again.

The md2 functions are used in rsa_verify and rsa_sign (two C NIFs),
which is the reason for the include in the first place. Also note that
we have no calls to md2 from the Erlang world (luckily) so this limits
the impact on Erlang code: Some signatures that could be verified can
not anymore. But verifying a signature against md2 is probably not too
clever.

On the same basis: When do we get to ditch MD5 and SHA1? Both message
digests are probably going to become problematic. MD5 is already
broken for its 2nd preimage resistance to the point where nobody can
use it for that anymore. SHA1 will follow shortly, there are cracks
all over the place. We really want an API which is message digest
agnostic. Something along the lines of:

-spec crypto:message_digest(digest_algorithm(), iolist()) -> digest().

where digest_algorithm() is md5 | sha1 | sha256 | ... and digest() is
either integer() or binary() - probably the latter with conversion
functions to hex-strings and so on, because that format is the common
one. The rationale for this choice is simple: history shows that most
cryptographic algorithms breaks down over time - one way or the other.

-- 
J.