couchdb-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Paul Davis <paul.joseph.da...@gmail.com>
Subject Re: Cryptography in CouchDB
Date Tue, 18 Aug 2009 05:36:17 GMT
On Tue, Aug 18, 2009 at 1:16 AM, Curt Arnold<carnold@apache.org> wrote:
>
> On Aug 17, 2009, at 6:45 PM, Damien Katz wrote:
>
>> I don't think it's necessary as we aren't encrypting anything. We do use
>> the crypto library, but only for generating random UUIDs.
>>
>> -Damien
>>
>
> Probably should have used "suspect" or "concerned" or something more
> speculative.  Noticing that CouchDB would not start on an Erlang runtime
> without openssl was a bit jarring. OAuth would also seem to be have a
> significant likelihood of incorporating encryption.  Those two facts seemed
> to warrant a message.
>

It is a bit odd. But like Damien says, the only calls to SSL are
crypto:rand_bytes(16) which AFAIK is basically a mask to the best
random number generator supported. It definitely does seem odd.

> The whole export license stuff is an quagmire that I've taken pains to
> avoid.  Definitely think that you should check with legal-discuss if you
> have any questions.
>
> erlang_oauth has a module named oauth_rsa_sha1 which makes me suspect that
> it would need an export declaration.
>

All of the cryptographic functionality it uses is supported by Erlang
stdlib modules. I actually stopped this from building because its only
supported on newer versions of Erlang and we weren't using it so it
gets even more fun in that regard.

> The following code snippet from couch_http_oauth.erl
>
> consumer_lookup(Key, MethodStr) ->
>    SignatureMethod = case MethodStr of
>        "PLAINTEXT" -> plaintext;
>        "HMAC-SHA1" -> hmac_sha1;
>        %"RSA-SHA1" -> rsa_sha1;
>        _Else -> undefined
>
> appears to be at aware of specific encryption method.
>
>
> I also ran into this little snippet in couch_util.erl:
>
> %%% Purpose : Base 64 encoding and decoding.
> %%% Copied from ssl_base_64 to avoid using the
> %%% erlang ssl library
>
> If there is a required dependency on ssl elsewhere, the duplicated code
> probably should be eliminated.  Also, the "license notice" doesn't give me
> much confidence.
>
>
> FYI: Encryption notice for Erlang ssl:
> http://erlang.org/doc/apps/ssl/index.html
>
> My wild guess is that the previous CouchDB releases did not need an export
> or cryptography notice if all they did was use the random number generator
> from the SSL module.    erlang_oauth and couch_http_oauth seem to be aware
> of cryptographic methods which my reading means that they require some
> action, but exactly what I'm uncertain.
>

Its weird cause they're aware, but aren't built, though if build would
use Erlang provided crypto functions. I'm pretty sure the HMAC stuff
is just SHA1 which the FAQ said isn't cryptographic. If no one
volunteers for legal-discuss duty I'll put it on the list for
tomorrow.

Thanks for catching that. It never would've crossed my mind to check
cryptographic exports since we're not the ones implementing or
distributing it.

Paul Davis

Mime
View raw message