apr-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Greg Stein <gst...@lyra.org>
Subject Re: cvs commit: apr/test aprtest.dsp aprtest.dsw aprtest.win Makefile.in sendfile.c testmmap.c client.dsp htdigest.dsp server.dsp test.dsw testarg.dsp testfile.dsp testproc.dsp testsig.dsp testsock.dsp testsuite.dsw testthread.dsp testucs.dsp timetest.dsp
Date Mon, 04 Dec 2000 23:26:57 GMT
On Mon, Dec 04, 2000 at 03:11:54PM -0800, rbb@covalent.net wrote:
> > > I would really prefer that we keep some way to encode passwords in
> > > APR.  This is a portability issue, so -1 (vote, not veto) for removing
> > > md5 from APR.
> > 
> > I'm +1 on moving them to apr-util ... MD5 hashing is entirely portable. That
> > is also where SHA-1 hashing is located.
> > 
> > (the standard crypt() is generally non-portable and would remain in APR;
> >  that should solve Ryan's request for a way to hash [not encode] passwords)
> We don't have a crypt routine, and there has been no discussion of putting
> crypt into APR so far.

htpasswd uses crypt(), but that is quite platform specific. It probably
should use an APR cover for it.

> Plus, for backwards compatability with 1.3, APR
> will need to understand how to check for MD5 passwords.

APR doesn't do this. Apache does. Since MD5 will be available in apr-util,
there shouldn't be any problem.

> Otherwise, andbody who chose to create MD5 password files will need to
> re-create their password files for 2.0.  I am -1 for forcing them to do
> that, and that is a veto.

I would agree with that veto, except it isn't needed :-) The MD5 password
files are managed by Apache... not APR.

The only thing that uses MD5 in APR is the UUID generation on non-Windows
platforms. However, it has no real requirement to do so. The MD5 hashing was
simply used as a way to create random data.


Greg Stein, http://www.lyra.org/

View raw message