Uploaded image for project: 'Couchbase Server'
  1. Couchbase Server
  2. MB-6883

dont use md5 hash and dont use openssl

    Details

    • Type: Bug
    • Status: Closed
    • Priority: Major
    • Resolution: Won't Fix
    • Affects Version/s: None
    • Fix Version/s: feature-backlog
    • Component/s: build
    • Security Level: Public
    • Labels:
      None

      Description

      aaron has more info on where we are using libcrypto

      No reviews matched the request. Check your Options in the drop-down menu of this sections header.

        Activity

        Hide
        farshid Farshid Ghods (Inactive) added a comment -

        Aaron,

        can you add some more information about where we use md5 hash

        Show
        farshid Farshid Ghods (Inactive) added a comment - Aaron, can you add some more information about where we use md5 hash
        Hide
        aaron Aaron Miller (Inactive) added a comment -

        All the places I've identified where we are using the crypto application:

        ns_server:

        • deps/gen_smtp uses crypto for SMTP TLS and HMAC, shouldn't be necessary for normal email sending
        • capi_set_view_manager, xdc_rdoc_Replication_srv, xdc_vbucket_rep_ckpt use rand_uniform for generating random numbers

        couchdb:

        • couch_util uses crypto:rand_uniform to provide random numbers
        • couch_uuids uses crypto:rand_uniform to generate UUIDs
        • couch_db uses crypto:rand_uniform when looking up random docs
        • CouchDB uses MD5 hashing
        • couch_view_group keeps an MD5 hash of view functions to identify the view. We may not be using this. Check with Filipe.
        • couch_httpd.erl uses MD5 for ETags
        • Unused couch_stream (couchdb attachments) code uses MD5
        • lhttpd uses crypto:rand_uniform
        • The ouath library included, which I don't think we use, uses it for SHA1 HMAC
        • Mochiweb uses it for random numbers (rand_bytes, rand_uniform)
        • couch_server.erl/couch_httpd_auth.erl has a bad SHA1 based password hash, which I think we don't use
        • couch_httpd_auth also uses a SHA1 HMAC to sign session cookies. Again, I don't think we use this.
        • Some tests for unused CouchDB functionality pull in MD5 or rand_*
        Show
        aaron Aaron Miller (Inactive) added a comment - All the places I've identified where we are using the crypto application: ns_server: deps/gen_smtp uses crypto for SMTP TLS and HMAC, shouldn't be necessary for normal email sending capi_set_view_manager, xdc_rdoc_Replication_srv, xdc_vbucket_rep_ckpt use rand_uniform for generating random numbers couchdb: couch_util uses crypto:rand_uniform to provide random numbers couch_uuids uses crypto:rand_uniform to generate UUIDs couch_db uses crypto:rand_uniform when looking up random docs CouchDB uses MD5 hashing couch_view_group keeps an MD5 hash of view functions to identify the view. We may not be using this. Check with Filipe. couch_httpd.erl uses MD5 for ETags Unused couch_stream (couchdb attachments) code uses MD5 lhttpd uses crypto:rand_uniform The ouath library included, which I don't think we use, uses it for SHA1 HMAC Mochiweb uses it for random numbers (rand_bytes, rand_uniform) couch_server.erl/couch_httpd_auth.erl has a bad SHA1 based password hash, which I think we don't use couch_httpd_auth also uses a SHA1 HMAC to sign session cookies. Again, I don't think we use this. Some tests for unused CouchDB functionality pull in MD5 or rand_*
        Hide
        farshid Farshid Ghods (Inactive) added a comment -

        the reason why we want to stay away from openssl dependencies is that during the installation user has to install a specific version of openssl before couchase server installation.

        ubuntu 12.04 repo for instance has a newer version of openssl but since couchbase is built on ubuntu 10.04 and uses earlier version of openssl user has to downgrade and download an earlier version which is not very convinient.

        another reason why we dont want to depend on openssl is that we can not include this library in the rpm package due to export license restrictions and if we get rid of this dependency we can have a monolithic package that does not depend on anything externally

        Show
        farshid Farshid Ghods (Inactive) added a comment - the reason why we want to stay away from openssl dependencies is that during the installation user has to install a specific version of openssl before couchase server installation. ubuntu 12.04 repo for instance has a newer version of openssl but since couchbase is built on ubuntu 10.04 and uses earlier version of openssl user has to downgrade and download an earlier version which is not very convinient. another reason why we dont want to depend on openssl is that we can not include this library in the rpm package due to export license restrictions and if we get rid of this dependency we can have a monolithic package that does not depend on anything externally
        Hide
        farshid Farshid Ghods (Inactive) added a comment -

        next step is to assign this to different teams one by one and assess how much work there is to remove these dependencies

        Show
        farshid Farshid Ghods (Inactive) added a comment - next step is to assign this to different teams one by one and assess how much work there is to remove these dependencies
        Hide
        steve Steve Yen added a comment -

        Hi Dipti, wondering how important this is.

        It has implications on a single binary *.deb for both 10.04 and 12.04 ubuntu.

        Show
        steve Steve Yen added a comment - Hi Dipti, wondering how important this is. It has implications on a single binary *.deb for both 10.04 and 12.04 ubuntu.

          People

          • Assignee:
            dipti Dipti Borkar
            Reporter:
            farshid Farshid Ghods (Inactive)
          • Votes:
            0 Vote for this issue
            Watchers:
            2 Start watching this issue

            Dates

            • Created:
              Updated:
              Resolved:

              Gerrit Reviews

              There are no open Gerrit changes