commons-issues mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Gary D. Gregory (Commented) (JIRA)" <j...@apache.org>
Subject [jira] [Commented] (CODEC-133) Please add a function for the MD5/SHA1/SHA-512 based Unix crypt(3) hash variants
Date Fri, 20 Apr 2012 14:20:40 GMT

    [ https://issues.apache.org/jira/browse/CODEC-133?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=13258271#comment-13258271
] 

Gary D. Gregory commented on CODEC-133:
---------------------------------------

Hello again and thank you for your patience.

I one file I see:

{quote}
 * <p>
 * Based on the C implementation from Poul-Henning Kamp which was released under the following
licence:
 * 
 * <pre>
 * ----------------------------------------------------------------------------
 * "THE BEER-WARE LICENSE" (Revision 42): &lt;phk@login.dknet.dk&gt; wrote this file.
 * As long as you retain this notice you can do whatever you want with this
 * stuff. If we meet some day, and you think this stuff is worth it, you can buy
 * me a beer in return. Poul-Henning Kamp
 * ----------------------------------------------------------------------------
 * Source: $FreeBSD: src/lib/libcrypt/crypt-md5.c,v 1.1 1999/01/21 13:50:09 brandon Exp $
 * http://www.freebsd.org/cgi/cvsweb.cgi/src/lib/libcrypt/crypt-md5.c?rev=1.1;content-type=text%2Fplain
 * </pre>
{quote}

I am not sure this is acceptable. IMO this can be removed because we are not shipping the
C code, but rather a port of a port.

And:

{quote}
 * <p>
 * Conversion to Kotlin and from there to Java in 2012 by Christian Hammers &lt;ch@lathspell.de&gt;
and put into the
 * Public Domain.
 * <p>
 * The C style comments are from the original C code, the ones with "//" from me.
{quote}

The granting part is also assumed because the license was granted to Apache when the patch
was attached with the proper check-box selected.

Unless someone disagrees, I'll remove the above quoted text from the code and apply soon.

Thank you,
Gary


                
> Please add a function for the MD5/SHA1/SHA-512 based Unix crypt(3) hash variants
> --------------------------------------------------------------------------------
>
>                 Key: CODEC-133
>                 URL: https://issues.apache.org/jira/browse/CODEC-133
>             Project: Commons Codec
>          Issue Type: New Feature
>    Affects Versions: 1.6
>            Reporter: Christian Hammers
>              Labels: MD5, SHA-512, crypt(3), crypto, hash
>         Attachments: commons-codec-crypt3.diff, crypt3-with-utexas-licence.diff
>
>
> The Linux libc6 crypt(3) function, which is used to generate e.g. the password hashes
in /etc/shadow, is available in nearly all other programming languages (Perl, PHP, Python,
C, C++, ...) and databases like MySQL and offers MD5/SHA1/SHA-512 based algorithms that were
improved by adding a salt and several iterations to make rainbow table attacks harder. Thus
they are widely used to store user passwords.
> Java, though, has due it's platform independence, no direct access to the libc functions
and still lacks an proper port of the crypt(3) function.
> I already filed a wishlist bug (CODEC-104) for the traditional 56-bit DES based crypt(3)
method but would also like to see the much stronger algorithms.
> There are other bug reports like DIRSTUDIO-738 that demand those crypt variants for some
specific applications so there it would benefit other Apache projects as well.
> Java ports of most of the specific crypt variants are already existing, but they would
have to be cleaned up, properly tested and license checked:
> ftp://ftp.arlut.utexas.edu/pub/java_hashes/ 
> I would be willing to help here by cleaning the source code and writing unit tests etc.
but I'd like to generally know if you are interested and if there's someone who can do a code
review (it's security relevant after all and I'm no crypto guy)
> bye,
> -christian-

--
This message is automatically generated by JIRA.
If you think it was sent incorrectly, please contact your JIRA administrators: https://issues.apache.org/jira/secure/ContactAdministrators!default.jspa
For more information on JIRA, see: http://www.atlassian.com/software/jira

        

Mime
View raw message