> OK. If the <hash> is given by this side (as opposed to "you started > to talk to a remote, and it turns out that you are still talking > SHA-1 but the other side talks SHA-256 and their <hash> size that is > 64 does not match your 40" case), then checking against > the_hash_algo->hexsz should be sufficient. The original suggestion > was tried both because I didn't know where <hash> originates, and we > would want to redact even in such a hash type mismatch case. > > Thanks. Will take a look at the updated one. This is when reading from the remote, so <hash> comes from the other side. I don't think that the remote sending the wrong hash size (and then needing to redact) is a big concern, but there is definitely no harm in checking for both (and commenting that these are the SHA-1 and SHA-256 hash sizes).
