Re: [Ur] Thoughts on cryptographic hashing for Ur/Web standard library?

Fri, 25 May 2018 11:59:40 -0700

That sounds like a pretty credible plan!  If no one objects by, say, the end this coming Monday, I will feel free to remove 'crypt' from the standard library, counting on others to figure out the right way to materialize a more comprehensive freestanding library. 

On 05/23/2018 12:22 PM, Benjamin Barenblat wrote:

On Saturday, May 19, 2018, at 3:52 pm -0400, Adam Chlipala wrote:

It has been pointed out <https://github.com/urweb/urweb/pull/114> that
Ur/Web's Basis.crypt uses DES, a weak hashing approach by today's
standards.  I can think of a few potential courses of action:

[...]

  2. Switch to a different cryptosystem available in OpenSSL's libcrypto,
     which is already linked with all Ur/Web apps.
  3. Realize that literally no one is using this function and just delete
     it from the standard library.  (A less severe version is to ask a
     small but nonzero-size user community to switch to using separate
     libraries for this functionality.)

I think we should pursue both of these: Remove crypt from the standard
library, and replace its functionality with external libraries that
depend on OpenSSL.

I wrote bindings for the OpenSSL MD5, SHA-1, and SHA-2 APIs a while
back [1]. They're Apache-licensed. I'd love to see them get wider
use, and I'd welcome patches to add additional hash functions. I've also
written a bcrypt wrapper [2], so you've got two options if you want to
use bcrypt (the other being [3]). I AGPL-licensed my bcrypt wrapper, but
I'd be happy to relicense to Apache.

There may also be room for a general-purpose OpenSSL library for
Ur/Web. Such a library would bring the useful parts of the OpenSSL API
(data hashing, HMACs, password hashing, AES, ChaCha20/Poly1305, etc.) to
all Ur/Web applications and would effectively supersede [1]. I've been
working on something similar for Haskell [4], which could be a useful
model.


[1] https://benjamin.barenblat.name/git/urweb-crypto-hash-openssl.git
     https://github.com/bbarenblat/urweb-crypto-hash-openssl

[2] https://benjamin.barenblat.name/git/urweb_bcrypt.git
     https://github.com/bbarenblat/urweb_bcrypt

[3] https://github.com/steinuil/urweb-bcrypt

[4] https://github.com/google/btls

_______________________________________________
Ur mailing list
Ur@impredicative.com
http://www.impredicative.com/cgi-bin/mailman/listinfo/ur



_______________________________________________
Ur mailing list
Ur@impredicative.com
http://www.impredicative.com/cgi-bin/mailman/listinfo/ur

Reply via email to