Daniel Stenberg wrote:
> We either need code in libcurl that does DES and MD4, or we use a lib
> that provides them.
>
> 1. OpenSSL provides them, so when we built with that there's no problem.
>
> 2. GnuTLS uses libgcrypt for encryption, and that too offers DES and MD4
> functions. We just haven't adjusted the libcurl NTLM code to use the
> libgcrypt functions.

If (for some reason) libcurl wishes to move in a non-OpenSSL direction,
it seems to me that http://libtomcrypt.org/ is a better fit than
libmhash, libmcrypt, libgcrypt or GNU TLS from a license point of view,
and is wonderfully modular and flexible (resulting in a superb
footprint). I think it covers all of libcurl's hashing and encryption
requirements in one library.

As I say, though, that's mainly just for the non-OpenSSL case, since
libTomCrypt is a relatively low-level bundle of auth / hash /
encryption / certificate modules and doesn't really know about
anything as high-level as SSL, though it has been used as the basis
of at least one (commercial) SSL implementation and at least one SSH
client/server implementation, so for anyone interested in having
HTTPS happen without the incredibly large OpenSSL footprint,
libTomCrypt is probably a mostly-complete set of building blocks.
I've only lightly dabbled in libTomCrypt myself so far.

--Adam
Received on 2005-04-11