All the places I've identified where we are using the crypto application:
ns_server:
* deps/gen_smtp uses crypto for SMTP TLS and HMAC, shouldn't be necessary for normal email sending
* capi_set_view_manager, xdc_rdoc_Replication_srv, xdc_vbucket_rep_ckpt use rand_uniform for generating random numbers
couchdb:
* couch_util uses crypto:rand_uniform to provide random numbers
* couch_uuids uses crypto:rand_uniform to generate UUIDs
* couch_db uses crypto:rand_uniform when looking up random docs
* CouchDB uses MD5 hashing
* couch_view_group keeps an MD5 hash of view functions to identify the view. We may not be using this. Check with Filipe.
* couch_httpd.erl uses MD5 for ETags
* Unused couch_stream (couchdb attachments) code uses MD5
* lhttpd uses crypto:rand_uniform
* The ouath library included, which I don't think we use, uses it for SHA1 HMAC
* Mochiweb uses it for random numbers (rand_bytes, rand_uniform)
* couch_server.erl/couch_httpd_auth.erl has a bad SHA1 based password hash, which I think we don't use
* couch_httpd_auth also uses a SHA1 HMAC to sign session cookies. Again, I don't think we use this.
* Some tests for unused CouchDB functionality pull in MD5 or rand_*
Aaron Miller
added a comment - All the places I've identified where we are using the crypto application:
ns_server:
* deps/gen_smtp uses crypto for SMTP TLS and HMAC, shouldn't be necessary for normal email sending
* capi_set_view_manager, xdc_rdoc_Replication_srv, xdc_vbucket_rep_ckpt use rand_uniform for generating random numbers
couchdb:
* couch_util uses crypto:rand_uniform to provide random numbers
* couch_uuids uses crypto:rand_uniform to generate UUIDs
* couch_db uses crypto:rand_uniform when looking up random docs
* CouchDB uses MD5 hashing
* couch_view_group keeps an MD5 hash of view functions to identify the view. We may not be using this. Check with Filipe.
* couch_httpd.erl uses MD5 for ETags
* Unused couch_stream (couchdb attachments) code uses MD5
* lhttpd uses crypto:rand_uniform
* The ouath library included, which I don't think we use, uses it for SHA1 HMAC
* Mochiweb uses it for random numbers (rand_bytes, rand_uniform)
* couch_server.erl/couch_httpd_auth.erl has a bad SHA1 based password hash, which I think we don't use
* couch_httpd_auth also uses a SHA1 HMAC to sign session cookies. Again, I don't think we use this.
* Some tests for unused CouchDB functionality pull in MD5 or rand_*
the reason why we want to stay away from openssl dependencies is that during the installation user has to install a specific version of openssl before couchase server installation.
ubuntu 12.04 repo for instance has a newer version of openssl but since couchbase is built on ubuntu 10.04 and uses earlier version of openssl user has to downgrade and download an earlier version which is not very convinient.
another reason why we dont want to depend on openssl is that we can not include this library in the rpm package due to export license restrictions and if we get rid of this dependency we can have a monolithic package that does not depend on anything externally
Farshid Ghods
added a comment - the reason why we want to stay away from openssl dependencies is that during the installation user has to install a specific version of openssl before couchase server installation.
ubuntu 12.04 repo for instance has a newer version of openssl but since couchbase is built on ubuntu 10.04 and uses earlier version of openssl user has to downgrade and download an earlier version which is not very convinient.
another reason why we dont want to depend on openssl is that we can not include this library in the rpm package due to export license restrictions and if we get rid of this dependency we can have a monolithic package that does not depend on anything externally
Farshid Ghods
added a comment - next step is to assign this to different teams one by one and assess how much work there is to remove these dependencies
Bug
Open
Major
can you add some more information about where we use md5 hash