Thanks for the answer. On 09.05.14 3:22 , Stefan Fritsch wrote: > No. But which password hashing algorithmis are used/supported by > apr_password_validate() is rather unrelated to which digest functions are > made available with a public interface. For password hashing, apr-util has > been supporting bcrypt since version 1.5.
It's great to have bcrypt available, but I hoped that Ulrich Drepper's sha256 and sha512 implementations would be part as well. His code is public domain, so it shouldn't be a license issue. At the moment, bcrypt is the only safe choice really. Doesn't this seem a bit strange to you? IMO Ulrich's functions are standard these days and APR should include them, just my 2 cents. > What is missing is the support in httpd 2.2's htpasswd to generate hashes > with bcrypt. And even in 2.4, bcrypt is not yet used by default. Both > things should be changed, but are entirely unrelated to apr. Yes, the httpd project seems stangely slow at times. It almost reminds me of IBM, where I worked for 17 years. (You have a great idea, which takes you half a day to implement (which you do), but then it takes 2 years (and a lot of administrative processes) to get it into a product - if at all.) Cheers, Helmut -- regards Helmut K. C. Tessarek lookup http://sks.pkqs.net for KeyID 0xC11F128D /* Thou shalt not follow the NULL pointer for chaos and madness await thee at its end. */
