You are viewing a plain text version of this content. The canonical link for it is here.
Posted to bugs@apr.apache.org by bu...@apache.org on 2010/05/14 00:23:54 UTC
DO NOT REPLY [Bug 49288] New: Add support for stronger cryptographic
hashing functions
https://issues.apache.org/bugzilla/show_bug.cgi?id=49288
Summary: Add support for stronger cryptographic hashing
functions
Product: APR
Version: HEAD
Platform: All
OS/Version: All
Status: NEW
Severity: enhancement
Priority: P2
Component: APR-util
AssignedTo: bugs@apr.apache.org
ReportedBy: mathew.binkley@vanderbilt.edu
APR (and thus htpasswd) currently only supports crypt(), MD5, and SHA1-based
passwords. Moore's law and algorithmic improvements are increasingly making
passwords stored in those hash functions vulnerable to cracking.
It would be beneficial if there were stronger hash functions such as
sha256/512, whirlpool, or pbkdf2 available for use.
--
Configure bugmail: https://issues.apache.org/bugzilla/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are the assignee for the bug.
---------------------------------------------------------------------
To unsubscribe, e-mail: bugs-unsubscribe@apr.apache.org
For additional commands, e-mail: bugs-help@apr.apache.org
DO NOT REPLY [Bug 49288] Add support for stronger cryptographic
hashing functions
Posted by bu...@apache.org.
https://issues.apache.org/bugzilla/show_bug.cgi?id=49288
dmagda+asf@ee.ryerson.ca changed:
What |Removed |Added
----------------------------------------------------------------------------
CC| |dmagda+asf@ee.ryerson.ca
--
Configure bugmail: https://issues.apache.org/bugzilla/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are the assignee for the bug.
---------------------------------------------------------------------
To unsubscribe, e-mail: bugs-unsubscribe@apr.apache.org
For additional commands, e-mail: bugs-help@apr.apache.org
DO NOT REPLY [Bug 49288] Add support for stronger cryptographic
hashing functions
Posted by bu...@apache.org.
https://issues.apache.org/bugzilla/show_bug.cgi?id=49288
--- Comment #2 from dmagda+asf@ee.ryerson.ca 2012-01-31 19:16:09 UTC ---
(In reply to comment #0)
> APR (and thus htpasswd) currently only supports crypt(), MD5, and SHA1-based
> passwords. Moore's law and algorithmic improvements are increasingly making
> passwords stored in those hash functions vulnerable to cracking.
>
> It would be beneficial if there were stronger hash functions such as
> sha256/512, whirlpool, or pbkdf2 available for use.
Another option would be to call the system crypt() function and leverage any
capabilities it has with stronger hashes.
So for the ALG_CRYPT case in htpasswd.c's mkrecord(), instead of just calling
rand() to generate the salt, one would call generate_salt() and preprend
"$2a$", "$5$", or "$6$" to it so that the system starts using a different
algorithm.
This may not work on all platforms (e.g., Solaris 8, AIX 5L), but for any Unix
revision released in the last ten years it should be okay.
--
Configure bugmail: https://issues.apache.org/bugzilla/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are the assignee for the bug.
---------------------------------------------------------------------
To unsubscribe, e-mail: bugs-unsubscribe@apr.apache.org
For additional commands, e-mail: bugs-help@apr.apache.org
[Bug 49288] Add support for stronger cryptographic hashing functions
Posted by bu...@apache.org.
https://issues.apache.org/bugzilla/show_bug.cgi?id=49288
--- Comment #3 from Stefan Fritsch <sf...@sfritsch.de> ---
apr-util 1.5.x will add bcrypt support
--
You are receiving this mail because:
You are the assignee for the bug.
---------------------------------------------------------------------
To unsubscribe, e-mail: bugs-unsubscribe@apr.apache.org
For additional commands, e-mail: bugs-help@apr.apache.org
DO NOT REPLY [Bug 49288] Add support for stronger cryptographic
hashing functions
Posted by bu...@apache.org.
https://issues.apache.org/bugzilla/show_bug.cgi?id=49288
--- Comment #1 from Mathew Binkley <ma...@vanderbilt.edu> 2010-05-13 18:26:23 EDT ---
I forgot to mention that any newer hashing function should support salting.
--
Configure bugmail: https://issues.apache.org/bugzilla/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are the assignee for the bug.
---------------------------------------------------------------------
To unsubscribe, e-mail: bugs-unsubscribe@apr.apache.org
For additional commands, e-mail: bugs-help@apr.apache.org
[Bug 49288] Add support for stronger cryptographic hashing functions
Posted by bu...@apache.org.
https://issues.apache.org/bugzilla/show_bug.cgi?id=49288
S <bl...@gmx.net> changed:
What |Removed |Added
----------------------------------------------------------------------------
CC| |blama@gmx.net
--
You are receiving this mail because:
You are the assignee for the bug.
---------------------------------------------------------------------
To unsubscribe, e-mail: bugs-unsubscribe@apr.apache.org
For additional commands, e-mail: bugs-help@apr.apache.org
[Bug 49288] Add support for stronger cryptographic hashing functions
Posted by bu...@apache.org.
https://issues.apache.org/bugzilla/show_bug.cgi?id=49288
Stefan Fritsch <sf...@sfritsch.de> changed:
What |Removed |Added
----------------------------------------------------------------------------
Status|NEW |RESOLVED
Resolution|--- |FIXED
--- Comment #4 from Stefan Fritsch <sf...@sfritsch.de> ---
apr-util 1.5.1 has been released
Support for htpasswd has been added in trunk in r1395255
--
You are receiving this mail because:
You are the assignee for the bug.
---------------------------------------------------------------------
To unsubscribe, e-mail: bugs-unsubscribe@apr.apache.org
For additional commands, e-mail: bugs-help@apr.apache.org