On 06/24/2012 04:34 AM, Stefan Fritsch wrote: > On Sunday 24 June 2012, Graham Leggett wrote: >> On 24 Jun 2012, at 12:01 AM, Stefan Fritsch wrote: >>> Openssl is not required, neither for apr nor for httpd. I propose >>> to import either crypt_blowfish or scrypt into apr, just like >>> apr contains some foreign sha1 and md5 code. This way we would >>> not get an additional external dependency. >> >> APR-util has a crypto library to deal with this exact problem - the >> need for low level crypto functions without having to tightly bind >> ourselves to one toolkit over another, or import code. With the >> formal move by the Redhat people towards NSS as a shared crypto >> API, this becomes more important as time goes by. >> >> Ideally, like we have a generic synchronous encryption API, we >> should have a generic hash API too, so that the user can use >> whatever hash that the underlying toolkit provides. > > I rather like the fact that you can use htpasswd on one system and use > the result on another system, regardless of the operating system. If > we are willing to give that up, we may just make htpasswd use the more > advanced schemes offered by the system's crypt() function.
One complication to keep in mind: when you don't do all your cryptography via a specific crypto library (OpenSSL, NSS, etc.) then FIPS 140-2 compliance goes from trivial (for 2.4) to messy. Not generally a problem outside of the U.S., but it very much matters anywhere in the U.S. government market. -Steve M. -- Steve Marquess OpenSSL Software Foundation, Inc. 1829 Mount Ephraim Road Adamstown, MD 21710 USA +1 877 673 6775 s/b +1 301 874 2571 direct [email protected] [email protected]
