That sounds like a pretty credible plan! If no one objects by, say, the
end this coming Monday, I will feel free to remove 'crypt' from the
standard library, counting on others to figure out the right way to
materialize a more comprehensive freestanding library.
On 05/23/2018 12:22 PM, Benjamin Barenblat wrote:
On Saturday, May 19, 2018, at 3:52 pm -0400, Adam Chlipala wrote:
It has been pointed out <https://github.com/urweb/urweb/pull/114> that
Ur/Web's Basis.crypt uses DES, a weak hashing approach by today's
standards. I can think of a few potential courses of action:
[...]
2. Switch to a different cryptosystem available in OpenSSL's libcrypto,
which is already linked with all Ur/Web apps.
3. Realize that literally no one is using this function and just delete
it from the standard library. (A less severe version is to ask a
small but nonzero-size user community to switch to using separate
libraries for this functionality.)
I think we should pursue both of these: Remove crypt from the standard
library, and replace its functionality with external libraries that
depend on OpenSSL.
I wrote bindings for the OpenSSL MD5, SHA-1, and SHA-2 APIs a while
back [1]. They're Apache-licensed. I'd love to see them get wider
use, and I'd welcome patches to add additional hash functions. I've also
written a bcrypt wrapper [2], so you've got two options if you want to
use bcrypt (the other being [3]). I AGPL-licensed my bcrypt wrapper, but
I'd be happy to relicense to Apache.
There may also be room for a general-purpose OpenSSL library for
Ur/Web. Such a library would bring the useful parts of the OpenSSL API
(data hashing, HMACs, password hashing, AES, ChaCha20/Poly1305, etc.) to
all Ur/Web applications and would effectively supersede [1]. I've been
working on something similar for Haskell [4], which could be a useful
model.
[1] https://benjamin.barenblat.name/git/urweb-crypto-hash-openssl.git
https://github.com/bbarenblat/urweb-crypto-hash-openssl
[2] https://benjamin.barenblat.name/git/urweb_bcrypt.git
https://github.com/bbarenblat/urweb_bcrypt
[3] https://github.com/steinuil/urweb-bcrypt
[4] https://github.com/google/btls
_______________________________________________
Ur mailing list
Ur@impredicative.com
http://www.impredicative.com/cgi-bin/mailman/listinfo/ur
_______________________________________________
Ur mailing list
Ur@impredicative.com
http://www.impredicative.com/cgi-bin/mailman/listinfo/ur