apr-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Helmut Tessarek <tessa...@evermeet.cx>
Subject Re: digest functions and validation - part 2
Date Fri, 09 May 2014 18:26:26 GMT
Thanks for the answer.

On 09.05.14 3:22 , Stefan Fritsch wrote:
> No. But which password hashing algorithmis are used/supported by 
> apr_password_validate() is rather unrelated to which digest functions are 
> made available with a public interface. For password hashing, apr-util has 
> been supporting bcrypt since version 1.5.

It's great to have bcrypt available, but I hoped that Ulrich Drepper's sha256
and sha512 implementations would be part as well. His code is public domain,
so it shouldn't be a license issue. At the moment, bcrypt is the only safe
choice really. Doesn't this seem a bit strange to you?
IMO Ulrich's functions are standard these days and APR should include them,
just my 2 cents.

> What is missing is the support in httpd 2.2's htpasswd to generate hashes 
> with bcrypt. And even in 2.4, bcrypt is not yet used by default. Both 
> things should be changed, but are entirely unrelated to apr.

Yes, the httpd project seems stangely slow at times. It almost reminds me of
IBM, where I worked for 17 years. (You have a great idea, which takes you half
a day to implement (which you do), but then it takes 2 years (and a lot of
administrative processes) to get it into a product - if at all.)


regards Helmut K. C. Tessarek
lookup http://sks.pkqs.net for KeyID 0xC11F128D

   Thou shalt not follow the NULL pointer for chaos and madness
   await thee at its end.

View raw message