Mailing-List: contact issues-help@commons.apache.org; run by ezmlm
Precedence: bulk
Reply-To: issues@commons.apache.org
Date: Sat, 25 Feb 2012 01:09:48 +0000 (UTC)
From: "Gary D. Gregory (Commented) (JIRA)" <jira@apache.org>
To: issues@commons.apache.org
Message-ID: 
 <1198826184.18408.1330132188605.JavaMail.tomcat@hel.zones.apache.org>
In-Reply-To: 
 <1886772658.3731.1328563139477.JavaMail.tomcat@hel.zones.apache.org>
Subject: [jira] [Commented] (CODEC-133) Please add a function for the
 MD5/SHA1/SHA-512 based Unix crypt(3) hash variants
MIME-Version: 1.0
Content-Type: text/plain; charset=utf-8
Content-Transfer-Encoding: 7bit


    [ https://issues.apache.org/jira/browse/CODEC-133?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=13216206#comment-13216206 ] 

Gary D. Gregory commented on CODEC-133:
---------------------------------------

Howdy,

I see:

{noformat}
+
+ Copyright (c) 2008-2010 The University of Texas at Austin.
+
+ All rights reserved.
+
+ Redistribution and use in source and binary form are permitted
+ provided that distributions retain this entire copyright notice
+ and comment. Neither the name of the University nor the names of
+ its contributors may be used to endorse or promote products
+ derived from this software without specific prior written
+ permission. THIS SOFTWARE IS PROVIDED "AS IS" AND WITHOUT ANY
+ EXPRESS OR IMPLIED WARRANTIES, INCLUDING, WITHOUT LIMITATION, THE
+ IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A
+ PARTICULAR PURPOSE.
+
{noformat}

I do not know if this can be used in Apache as is. I'll ask on the ML.

The patch provided includes a lot of noise due to Javadoc changes that I imagine are not intentional. I would be better to provide a patch without this noise to make it easier to review.


> Please add a function for the MD5/SHA1/SHA-512 based Unix crypt(3) hash variants
> --------------------------------------------------------------------------------
>
>                 Key: CODEC-133
>                 URL: https://issues.apache.org/jira/browse/CODEC-133
>             Project: Commons Codec
>          Issue Type: New Feature
>    Affects Versions: 1.6
>            Reporter: Christian Hammers
>              Labels: MD5, SHA-512, crypt(3), crypto, hash
>         Attachments: crypt3-with-utexas-licence.diff
>
>
> The Linux libc6 crypt(3) function, which is used to generate e.g. the password hashes in /etc/shadow, is available in nearly all other programming languages (Perl, PHP, Python, C, C++, ...) and databases like MySQL and offers MD5/SHA1/SHA-512 based algorithms that were improved by adding a salt and several iterations to make rainbow table attacks harder. Thus they are widely used to store user passwords.
> Java, though, has due it's platform independence, no direct access to the libc functions and still lacks an proper port of the crypt(3) function.
> I already filed a wishlist bug (CODEC-104) for the traditional 56-bit DES based crypt(3) method but would also like to see the much stronger algorithms.
> There are other bug reports like DIRSTUDIO-738 that demand those crypt variants for some specific applications so there it would benefit other Apache projects as well.
> Java ports of most of the specific crypt variants are already existing, but they would have to be cleaned up, properly tested and license checked:
> ftp://ftp.arlut.utexas.edu/pub/java_hashes/ 
> I would be willing to help here by cleaning the source code and writing unit tests etc. but I'd like to generally know if you are interested and if there's someone who can do a code review (it's security relevant after all and I'm no crypto guy)
> bye,
> -christian-

--
This message is automatically generated by JIRA.
If you think it was sent incorrectly, please contact your JIRA administrators: https://issues.apache.org/jira/secure/ContactAdministrators!default.jspa
For more information on JIRA, see: http://www.atlassian.com/software/jira