[
https://issues.apache.org/jira/browse/CODEC-133?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=13258271#comment-13258271
]
Gary D. Gregory commented on CODEC-133:
---------------------------------------
Hello again and thank you for your patience.
I one file I see:
{quote}
* <p>
* Based on the C implementation from Poul-Henning Kamp which was released
under the following licence:
*
* <pre>
* ----------------------------------------------------------------------------
* "THE BEER-WARE LICENSE" (Revision 42): <[email protected]> wrote
this file.
* As long as you retain this notice you can do whatever you want with this
* stuff. If we meet some day, and you think this stuff is worth it, you can buy
* me a beer in return. Poul-Henning Kamp
* ----------------------------------------------------------------------------
* Source: $FreeBSD: src/lib/libcrypt/crypt-md5.c,v 1.1 1999/01/21 13:50:09
brandon Exp $
*
http://www.freebsd.org/cgi/cvsweb.cgi/src/lib/libcrypt/crypt-md5.c?rev=1.1;content-type=text%2Fplain
* </pre>
{quote}
I am not sure this is acceptable. IMO this can be removed because we are not
shipping the C code, but rather a port of a port.
And:
{quote}
* <p>
* Conversion to Kotlin and from there to Java in 2012 by Christian Hammers
<[email protected]> and put into the
* Public Domain.
* <p>
* The C style comments are from the original C code, the ones with "//" from
me.
{quote}
The granting part is also assumed because the license was granted to Apache
when the patch was attached with the proper check-box selected.
Unless someone disagrees, I'll remove the above quoted text from the code and
apply soon.
Thank you,
Gary
> Please add a function for the MD5/SHA1/SHA-512 based Unix crypt(3) hash
> variants
> --------------------------------------------------------------------------------
>
> Key: CODEC-133
> URL: https://issues.apache.org/jira/browse/CODEC-133
> Project: Commons Codec
> Issue Type: New Feature
> Affects Versions: 1.6
> Reporter: Christian Hammers
> Labels: MD5, SHA-512, crypt(3), crypto, hash
> Attachments: commons-codec-crypt3.diff,
> crypt3-with-utexas-licence.diff
>
>
> The Linux libc6 crypt(3) function, which is used to generate e.g. the
> password hashes in /etc/shadow, is available in nearly all other programming
> languages (Perl, PHP, Python, C, C++, ...) and databases like MySQL and
> offers MD5/SHA1/SHA-512 based algorithms that were improved by adding a salt
> and several iterations to make rainbow table attacks harder. Thus they are
> widely used to store user passwords.
> Java, though, has due it's platform independence, no direct access to the
> libc functions and still lacks an proper port of the crypt(3) function.
> I already filed a wishlist bug (CODEC-104) for the traditional 56-bit DES
> based crypt(3) method but would also like to see the much stronger algorithms.
> There are other bug reports like DIRSTUDIO-738 that demand those crypt
> variants for some specific applications so there it would benefit other
> Apache projects as well.
> Java ports of most of the specific crypt variants are already existing, but
> they would have to be cleaned up, properly tested and license checked:
> ftp://ftp.arlut.utexas.edu/pub/java_hashes/
> I would be willing to help here by cleaning the source code and writing unit
> tests etc. but I'd like to generally know if you are interested and if
> there's someone who can do a code review (it's security relevant after all
> and I'm no crypto guy)
> bye,
> -christian-
--
This message is automatically generated by JIRA.
If you think it was sent incorrectly, please contact your JIRA administrators:
https://issues.apache.org/jira/secure/ContactAdministrators!default.jspa
For more information on JIRA, see: http://www.atlassian.com/software/jira
