On Sunday 24 June 2012, Graham Leggett wrote: > On 24 Jun 2012, at 12:01 AM, Stefan Fritsch wrote: > > Openssl is not required, neither for apr nor for httpd. I propose > > to import either crypt_blowfish or scrypt into apr, just like > > apr contains some foreign sha1 and md5 code. This way we would > > not get an additional external dependency. > > APR-util has a crypto library to deal with this exact problem - the > need for low level crypto functions without having to tightly bind > ourselves to one toolkit over another, or import code. With the > formal move by the Redhat people towards NSS as a shared crypto > API, this becomes more important as time goes by. > > Ideally, like we have a generic synchronous encryption API, we > should have a generic hash API too, so that the user can use > whatever hash that the underlying toolkit provides.
I rather like the fact that you can use htpasswd on one system and use the result on another system, regardless of the operating system. If we are willing to give that up, we may just make htpasswd use the more advanced schemes offered by the system's crypt() function. Also, using what is available in the crypto libraries would limit us to PKCS5/PBKDF2, which is the only password hashing algorithm supported by openssl (AFAICS). Since PBKDF2 is based on sha256, though, it scales relatively well on GPUs. Of course, we could also implement other schemes on top of some cryptographhic hash or cipher provided by the crypto libraries. But I would rather avoid that because it's a lot of work to verify the result.
