[
https://issues.apache.org/jira/browse/COUCHDB-625?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=12803199#action_12803199
]
Chris Anderson commented on COUCHDB-625:
----------------------------------------
On Wed, Jan 20, 2010 at 7:16 PM, Brian McCallister <[email protected]> wrote:
> On copyright front, pretty sure you are all clear -- could be
> copyright problem to cut and paste, not to learn from and use to
> implement. My bigger concern is about the the crypto impl -- avoiding
> things like timing attacks on algorithms is very tricky, and unless
> you really grok them, you probably have side channel weaknesses in the
> impl :-(
Yes that's why I prefer to have a native erlang fallback instead of a
lightweight c implementation. At least it will be clear for
performance reasons that you shouldn't be running on less than a full
OpenSSL-based library.
I'd I think it's worth the cost of widespread adoption on embedded
devices. Maybe it'd be smart to make a compile time dependency
warning, so people know what they are getting into.
Devs -- what about this compile time warning if we drop back to native crypto?
This might be more solid from a no-surprises standpoint than the current patch
which switches at runtime.
> Pure Erlang alternative to crypto library
> -----------------------------------------
>
> Key: COUCHDB-625
> URL: https://issues.apache.org/jira/browse/COUCHDB-625
> Project: CouchDB
> Issue Type: Improvement
> Components: Infrastructure
> Reporter: Jonathan D. Knezek
> Assignee: Chris Anderson
> Priority: Minor
> Attachments: ccrypto.erl, ccrypto.erl
>
>
> On some platforms (in my case a SheevaPlug running on armv5te) it may be
> difficult or impossible to obtain a version of Erlang built with support for
> the crypto standard library. I grepped the CouchDB source and have attempted
> to reproduce the used crypto calls in pure Erlang.
> I have reproduced the start/0, rand_uniform/2, rand_bytes/1, sha/1, and
> sha_mac/2 functions, along with test_sha/1 and test_sha_mac/1 functions to
> validate the pure Erlang results against the crypto library's results. The
> public non-test functions attempt to first call into crypto if available, as
> it is the preferred implementation.
> As I'm not familiar with the build system, app system, etc. of Erlang I am
> only attaching the library implementation. I'm sure more work would be
> required to fully integrate it into CouchDB if accepted.
> As far as licensing goes, SHA1 is defined in NIST FIPS 180-2
> (http://csrc.nist.gov/publications/fips/fips180-2/fips180-2.pdf), and
> according to the IETF, the patent covering the algorithm has been made
> royalty-free (https://datatracker.ietf.org/ipr/858).
--
This message is automatically generated by JIRA.
-
You can reply to this email to add a comment to the issue online.
