On Tue, Jun 05, 2001 at 01:54:05AM +0200, Sander Striker wrote: > Hi, > > This patch adds HMAC MD5 to apr-util.
Where would we use this? Is this algorithm of sufficient usage that it would benefit being in apr-util? I've never heard of HMAC before - I had to look it up on rfc-editor.org. Maybe I live in a paper bag. I'd just like to make sure that someone is using this before it gets committed. I'd like to prevent feature creep (we're so beyond that point). Here's my line in the sand... =) I'll cast a -0 on this patch (I can do that, right?). I guess the distinction between what we have in apr-util and what is in OpenSSL is that the code is *probably* more portable (IIRC, OpenSSL sort of works on Win32 - correct me if I'm wrong). Sander, I think OpenSSL's portability *might* be an issue for you as you often use Win32. I don't use Win32 so I wouldn't know. Personally, I'd defer to what Ralf and Ben have to say about this - I think they both are on the APR lists (in case you don't know - they are also OpenSSL core members). I think Ben posted a "What's up with this crypto stuff?" message in the last day or so. Well, *I* am not sure how the crypto stuff fits in either. So, time to get some feedback. My $.02: I would be inclined that the more popular stuff (md5 and sha1) be included so that they are always present, but the more esoteric stuff can stay in OpenSSL. If you need those odd crypto functions, then you need to figure out where OpenSSL is to link against, or start submitting patches to them to get it to work. I'm not sure that APR needs to be a general purpose crypto library - OpenSSL does a decent enough job as-is (from what I've been told). Since OpenSSL is under an Apache-style license, there shouldn't be any problem using their code. Thoughts? *I* want to hold off on adding more crypto until I know what others think and we have a coherent plan for crypto/. Hence, my -0. I think that adding the link requirement of OpenSSL under all cases to httpd will be troublesome (i.e. if we use OpenSSL for SHA1). But, when Ralf et al get around to cleaning up the mod_ssl/mod_tls stuff, we might have a good way to detect/link against OpenSSL (so, we'd remove crypto/ entirely from apr-util). I'm not in a position to add external build requirements. That's a mighty big thing which needs to be well thought out. > PS. If someone is looking into MD5, maybe MD5_DIGESTSIZE can be changed to > APR_MD5_DIGESTSIZE, like in the md4 code (which has APR_MD4_DIGESTSIZE). Yeah, I should do that, shouldn't I? One of these days... -- justin
