apr-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Graham Leggett <minf...@sharp.fm>
Subject Re: Choosing a stronger password hash algorithm
Date Sat, 23 Jun 2012 22:51:08 GMT
On 24 Jun 2012, at 12:01 AM, Stefan Fritsch wrote:

> Openssl is not required, neither for apr nor for httpd. I propose to 
> import either crypt_blowfish or scrypt into apr, just like apr 
> contains some foreign sha1 and md5 code. This way we would not get an 
> additional external dependency.

APR-util has a crypto library to deal with this exact problem - the need for low level crypto
functions without having to tightly bind ourselves to one toolkit over another, or import
code. With the formal move by the Redhat people towards NSS as a shared crypto API, this becomes
more important as time goes by.

Ideally, like we have a generic synchronous encryption API, we should have a generic hash
API too, so that the user can use whatever hash that the underlying toolkit provides.


View raw message