|
Packit |
13e0ca |
[![Build Status](https://travis-ci.org/besser82/libxcrypt.svg?branch=develop)](https://travis-ci.org/besser82/libxcrypt)
|
|
Packit |
13e0ca |
[![codecov](https://codecov.io/gh/besser82/libxcrypt/branch/develop/graph/badge.svg)](https://codecov.io/gh/besser82/libxcrypt)
|
|
Packit |
13e0ca |
|
|
Packit |
13e0ca |
README for libxcrypt
|
|
Packit |
13e0ca |
====================
|
|
Packit |
13e0ca |
|
|
Packit |
13e0ca |
libxcrypt is a modern library for one-way hashing of passwords. It
|
|
Packit |
13e0ca |
supports DES, MD5, NTHASH, SUNMD5, SHA-2-256, SHA-2-512, and
|
|
Packit |
13e0ca |
bcrypt-based password hashes, and provides the traditional Unix `crypt`
|
|
Packit |
13e0ca |
and `crypt_r` interfaces, as well as a set of extended interfaces
|
|
Packit |
13e0ca |
pioneered by Openwall Linux, `crypt_rn`, `crypt_ra`, `crypt_gensalt`,
|
|
Packit |
13e0ca |
`crypt_gensalt_rn`, and `crypt_gensalt_ra`.
|
|
Packit |
13e0ca |
|
|
Packit |
13e0ca |
libxcrypt is intended to be used by `login(1)`, `passwd(1)`, and other
|
|
Packit |
13e0ca |
similar programs; that is, to hash a small number of passwords during
|
|
Packit |
13e0ca |
an interactive authentication dialogue with a human. It is not
|
|
Packit |
13e0ca |
suitable for use in bulk password-cracking applications, or in any
|
|
Packit |
13e0ca |
other situation where speed is more important than careful handling of
|
|
Packit |
13e0ca |
sensitive data. However, it *is* intended to be fast and lightweight
|
|
Packit |
13e0ca |
enough for use in servers that must field thousands of login attempts
|
|
Packit |
13e0ca |
per minute.
|
|
Packit |
13e0ca |
|
|
Packit |
13e0ca |
Authorship and Licensing
|
|
Packit |
13e0ca |
------------------------
|
|
Packit |
13e0ca |
|
|
Packit |
13e0ca |
libxcrypt is currently maintained by Björn Esser and Zack Weinberg.
|
|
Packit |
13e0ca |
Many people have contributed to the code making up libxcrypt, often
|
|
Packit |
13e0ca |
under the aegis of a different project. We particularly wish to thank
|
|
Packit |
13e0ca |
Solar Designer, Ulrich Drepper, David Burren, and Thorsten Kukuk.
|
|
Packit |
13e0ca |
Please see the AUTHORS and THANKS files for a full set of credits.
|
|
Packit |
13e0ca |
|
|
Packit |
13e0ca |
libxcrypt as a whole is licensed under the GNU Lesser General Public
|
|
Packit |
13e0ca |
License (version 2.1, or at your option, any later version). However,
|
|
Packit |
13e0ca |
many individual files may be reused under more permissive licenses if
|
|
Packit |
13e0ca |
separated from the library. Please see the LICENSING file for a
|
|
Packit |
13e0ca |
comprehensive inventory of licenses, and COPYING.LIB for the terms of
|
|
Packit |
13e0ca |
the LGPL.
|
|
Packit |
13e0ca |
|
|
Packit |
13e0ca |
Bug Reports, Feature Requests, Contributions, Etc.
|
|
Packit |
13e0ca |
--------------------------------------------------
|
|
Packit |
13e0ca |
|
|
Packit |
13e0ca |
libxcrypt is currently maintained at Github: the canonical repository
|
|
Packit |
13e0ca |
URL is <https://github.com/besser82/libxcrypt>. Please file bug
|
|
Packit |
13e0ca |
reports at <https://github.com/besser82/libxcrypt/issues>. This is
|
|
Packit |
13e0ca |
also the appropriate place to suggest new features, offer patches,
|
|
Packit |
13e0ca |
etc. All your feedback is welcome and will eventually receive a
|
|
Packit |
13e0ca |
response, but this is a spare-time project for all of the present
|
|
Packit |
13e0ca |
maintainers, so please be patient.
|
|
Packit |
13e0ca |
|
|
Packit |
13e0ca |
Portability Notes
|
|
Packit |
13e0ca |
-----------------
|
|
Packit |
13e0ca |
|
|
Packit |
13e0ca |
libxcrypt should be buildable with any ISO C1999-compliant C compiler,
|
|
Packit |
13e0ca |
with one critical exception: the symbol versioning macros in
|
|
Packit |
13e0ca |
`crypt-port.h` only work with compilers that implement certain GCC/GNU
|
|
Packit |
13e0ca |
Binutils extensions (`.symver`, `__asm__`, and `__attribute__((alias)))`.
|
|
Packit |
13e0ca |
|
|
Packit |
13e0ca |
A few C2011 features are used; the intention is not to use any of them
|
|
Packit |
13e0ca |
without a fallback, but we do not currently test this. A few POSIX
|
|
Packit |
13e0ca |
and nonstandard-but-widespread Unix APIs are also used; again, the
|
|
Packit |
13e0ca |
intention is not to use any of them without a fallback, but we do not
|
|
Packit |
13e0ca |
currently test this. In particular, the crypt_gensalt functions may
|
|
Packit |
13e0ca |
not always be able to retrieve cryptographically-sound random numbers
|
|
Packit |
13e0ca |
from the operating system; if you call these functions with a null
|
|
Packit |
13e0ca |
pointer for the "rbytes" argument, be prepared for them to fail.
|
|
Packit |
13e0ca |
|
|
Packit |
13e0ca |
Compatibility Notes
|
|
Packit |
13e0ca |
-------------------
|
|
Packit |
13e0ca |
|
|
Packit |
13e0ca |
On Linux-based systems, by default libxcrypt will be binary backward
|
|
Packit |
13e0ca |
compatible with the libcrypt.so.1 shipped as part of the GNU C
|
|
Packit |
13e0ca |
Library. This means that all existing binary executables linked
|
|
Packit |
13e0ca |
against glibc's libcrypt should work unmodified with this library's
|
|
Packit |
13e0ca |
libcrypt.so.1. We have taken pains to provide exactly the same
|
|
Packit |
13e0ca |
"symbol versions" as were used by glibc on various CPU architectures,
|
|
Packit |
13e0ca |
and to account for the variety of ways in which the Openwall
|
|
Packit |
13e0ca |
extensions were patched into glibc's libcrypt by some Linux
|
|
Packit |
13e0ca |
distributions. (For instance, compatibility symlinks for SUSE's
|
|
Packit |
13e0ca |
"libowcrypt" are provided.)
|
|
Packit |
13e0ca |
|
|
Packit |
13e0ca |
However, the converse is not true: programs linked against libxcrypt
|
|
Packit |
13e0ca |
will not work with glibc's libcrypt. Also, programs that use certain
|
|
Packit |
13e0ca |
legacy APIs supplied by glibc's libcrypt (`encrypt`, `encrypt_r`,
|
|
Packit |
13e0ca |
`setkey`, `setkey_r`, and `fcrypt`) cannot be *compiled* against
|
|
Packit |
13e0ca |
libxcrypt.
|
|
Packit |
13e0ca |
|
|
Packit |
13e0ca |
Binary backward compatibility can be disabled by supplying the
|
|
Packit |
13e0ca |
`--disable-obsolete-api` switch to `configure`, in which case libxcrypt
|
|
Packit |
13e0ca |
will install libcrypt.so.2 instead of libcrypt.so.1. This
|
|
Packit |
13e0ca |
configuration is always used on all operating systems other than
|
|
Packit |
13e0ca |
Linux. We are willing to consider adding binary backward
|
|
Packit |
13e0ca |
compatibility for other operating systems' existing libcrypts, but we
|
|
Packit |
13e0ca |
don't currently plan to do that work ourselves.
|
|
Packit |
13e0ca |
|
|
Packit |
13e0ca |
Individual hash functions may be enabled or disabled by use of the
|
|
Packit |
13e0ca |
`--enable-hashes` switch to `configure`. The default is to enable all
|
|
Packit |
13e0ca |
supported hashes. Disabling the traditional 'des' hash algorithm
|
|
Packit |
13e0ca |
implies `--disable-obsolete-api`. Security-conscious environments
|
|
Packit |
13e0ca |
without backward compatibility constraints are encouraged to use
|
|
Packit |
13e0ca |
`--enable-hashes=strong`, which enables only the hash functions that
|
|
Packit |
13e0ca |
are strong enough to be safe for newly hashed passwords.
|
|
Packit |
13e0ca |
|
|
Packit |
13e0ca |
The original implementation of the SUNMD5 hashing algorithm has a bug,
|
|
Packit |
13e0ca |
which is mimicked by libxcrypt to be fully compatible with hashes
|
|
Packit |
13e0ca |
generated on (Open)Solaris: According to the only existing
|
|
Packit |
13e0ca |
[documentation of this algorithm](https://dropsafe.crypticide.com/article/1389),
|
|
Packit |
13e0ca |
its hashes were supposed to have the format
|
|
Packit |
13e0ca |
`$md5[,rounds=%u]$<salt>$<checksum>`, and include only the bare
|
|
Packit |
13e0ca |
string `$md5[,rounds=%u]$<salt>` in the salt digest step. However,
|
|
Packit |
13e0ca |
almost all hashes encountered in production environments have the
|
|
Packit |
13e0ca |
format `$md5[,rounds=%u]$<salt>$$<checksum>` (note the double $$).
|
|
Packit |
13e0ca |
Unfortunately, it is not merely a cosmetic difference: hashes of this
|
|
Packit |
13e0ca |
format incorporate the first $ after the salt within the salt digest
|
|
Packit |
13e0ca |
step, so the resulting checksum is different.
|
|
Packit |
13e0ca |
The documentation hints that this stems from a bug within the
|
|
Packit |
13e0ca |
production implementation’s parser. This bug causes the
|
|
Packit |
13e0ca |
implementation to return `$$`-format hashes when passed a configuration
|
|
Packit |
13e0ca |
string that ends with `$`. It returns the intended original format
|
|
Packit |
13e0ca |
and checksum only if there is at least one letter after the `$`,
|
|
Packit |
13e0ca |
e.g. `$md5[,rounds=%u]$<salt>$x`.
|
|
Packit |
13e0ca |
|
|
Packit |
13e0ca |
The NTHASH algorithm, in its original implementation, never came with
|
|
Packit |
13e0ca |
any `gensalt` function, because the algorithm does not use any.
|
|
Packit |
13e0ca |
libxcrypt ships a bogus `gensalt` function for the NTHASH algorithm,
|
|
Packit |
13e0ca |
which simply returns `$3$__not_used__XXXXXXXXXXXXXX`, where the `X`s
|
|
Packit |
13e0ca |
stand for some more or less random salt. There is no difference in
|
|
Packit |
13e0ca |
the resulting hash returned by the `crypt` function, whether using
|
|
Packit |
13e0ca |
one of the hashes returned by `gensalt` or simply using `$3$` as a
|
|
Packit |
13e0ca |
setting for hashing a password with NTHASH.
|
|
Packit |
13e0ca |
|
|
Packit |
13e0ca |
As a final compatibility note, glibc's libcrypt could optionally be
|
|
Packit |
13e0ca |
configured to use Mozilla's NSS library's implementations of the
|
|
Packit |
13e0ca |
cryptographic primitives MD5, SHA-2-256, and SHA-2-512. This option
|
|
Packit |
13e0ca |
does not currently exist in libxcrypt, because we do not currently
|
|
Packit |
13e0ca |
believe it is a desirable option. The stated rationale for the option
|
|
Packit |
13e0ca |
in glibc is to source all cryptographic primitives from a library that
|
|
Packit |
13e0ca |
has undergone FIPS certification, but we believe FIPS certification
|
|
Packit |
13e0ca |
would need to cover all of libxcrypt itself to have any meaningful
|
|
Packit |
13e0ca |
value. Moreover, the primitive currently recommended for use by new
|
|
Packit |
13e0ca |
password hashes, bcrypt, is not available from NSS, so the
|
|
Packit |
13e0ca |
certification would not cover any part of what will hopefully be the
|
|
Packit |
13e0ca |
most used code path.
|