OpenSSL libcrypto/libcrypt

Robert Connolly robert at linuxfromscratch.org
Fri Aug 31 21:50:11 PDT 2007


NetBSD's libcrypt ported to OpenSSL and Linux (including tests/examples):
http://www.linuxfromscratch.org/~robert/new/shadow-openssl/libcrypt-ssl-20070901/

hmac-sha1, md5, and bcrypt work. bcrypt is internal, I can't see how to use 
any blowfish functions from OpenSSL. I'd love to use the Blowfish from 
OpenSSL, not only for better performance but so this libcrypt package 
wouldn't contain any algorithms (see European cryptography laws). The bcrypt 
code in libxcrypt, pgcrypto, Owl-bcrypt, is all based on the same source, but 
the pgcrypto variation is slightly closer to OpenSSL compatible. So it might 
still be possible to get the heart of the bcrypt routines from OpenSSL.

Functions are:
crypt_sha1(password, salt)
crypt_md5(password, salt)
__bcrypt(password, salt)
pw_gensalt(salt_buffer, salt_length, algorithm, iterations)

pw_gensalt depends on arc4random(3). Using OpenSSL's RAND_bytes(3) is probably 
a better idea.

/usr/bin/*sum can use OpenSSL's libcrypto directly, because they don't use 
salts or iterations.

I think this is the most sensible solution. libpgcrypto depends on postgresql, 
and supports unneeded database encryption. I also think if this library is 
cleaned up a bit more, then OpenSSL.org might consider adding it to their 
demos/ directory.

The default crypt can also be changed from des to something else, so crypt() 
defaults to sha[x], or blowfish, and creates the random salt transparently. 
There should be an easy way to make this optional.

robert
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 189 bytes
Desc: not available
URL: <http://lists.linuxfromscratch.org/pipermail/hlfs-dev/attachments/20070901/c18f76cc/attachment.sig>


More information about the hlfs-dev mailing list