Extended crypt library for DES, MD5, Blowfish and others
Clone or download
Permalink
Failed to load latest commit information.
m4 Use 'AC_PATH_PROG' instead of 'AC_CHECK_PROG'. Nov 3, 2018
.gitignore Add 'test-gensalt-extradata' to gitignore. Nov 11, 2018
.travis.yml Test bcrypt_{a,x,y} on Travis, too. Nov 10, 2018
.travis_after_success.sh Drop 'exit 0' at the end of TravisCI build scripts. Nov 4, 2018
.travis_before_script.sh Drop 'exit 0' at the end of TravisCI build scripts. Nov 4, 2018
.travis_install.sh Drop 'exit 0' at the end of TravisCI build scripts. Nov 4, 2018
.travis_script.sh Remove the leading 'v' from the version for Coverity. Nov 9, 2018
AUTHORS Update AUTHORS and LICENSING. Oct 28, 2018
COPYING.LIB COPYING.LIB: Update LGPLv2.1 to latest revision Oct 13, 2017
ChangeLog release version 4.0.0 Jan 27, 2018
LICENSING Implement crypt_checksalt. Nov 9, 2018
Makefile.am Install <xcrypt.h> and a symlink from libxcrypt.so to libcrypt.so. Nov 14, 2018
NEWS Bump tarball version to 4.3.5 and update NEWS. Nov 14, 2018
README Add symlink to README.md to make Autotools happy Oct 16, 2017
README.md Fix another JtR method name. Nov 9, 2018
THANKS Add gost-yescrypt backend and tests. Oct 28, 2018
TODO Revise the to-do list. Oct 20, 2018
TODO.md Remove 'crypt-private.h' and merge it into 'crypt-port.h'. Nov 3, 2018
alg-des-tables.c Rename all hash methods to match naming in John the Ripper. Oct 29, 2018
alg-des.c Do not out-of-bounds index 'key_perm_maskl'. Nov 1, 2018
alg-des.h The 'key' parameter for 'des_set_key()' must be at least 8 bytes long. Nov 1, 2018
alg-gost3411-2012-const.h Rename 'gost34112012_uint512_u' to 'uint512_u'. Nov 3, 2018
alg-gost3411-2012-core.c Rename 'gost34112012_uint512_u' to 'uint512_u'. Nov 3, 2018
alg-gost3411-2012-core.h Rename 'gost34112012_uint512_u' to 'uint512_u'. Nov 3, 2018
alg-gost3411-2012-hmac.c Add gost-yescrypt backend and tests. Oct 28, 2018
alg-gost3411-2012-hmac.h Add gost-yescrypt backend and tests. Oct 28, 2018
alg-gost3411-2012-precalc.h Remove 'GOST3411_ALIGN'. Nov 3, 2018
alg-gost3411-2012-ref.h Add gost-yescrypt backend and tests. Oct 28, 2018
alg-hmac-sha1.c Rename all hash methods to match naming in John the Ripper. Oct 29, 2018
alg-hmac-sha1.h alg-hmac-sha1: Add implementation of HMAC with SHA1 Oct 25, 2017
alg-md4.c Rename all hash methods to match naming in John the Ripper. Oct 29, 2018
alg-md4.h Use unmodified md4 implementation from Alexander Peslyak. Oct 22, 2018
alg-md5.c Rename all hash methods to match naming in John the Ripper. Oct 29, 2018
alg-md5.h Use md5 implementation from Alexander Peslyak. Oct 22, 2018
alg-sha1.c Use macros to detect endianness if configure cannot tell. (Fixes #42) Oct 30, 2018
alg-sha1.h alg-sha1: Add implementation of the Secure Hash Algorithm 1 (SHA1) Oct 25, 2017
alg-sha256.c Rename all hash methods to match naming in John the Ripper. Oct 29, 2018
alg-sha256.h Use yescrypt’s sha256 implementation for sha256crypt as well. Sep 21, 2018
alg-sha512.c alg-sha512.c: Make PAD const. Nov 12, 2018
alg-sha512.h Update sha512 implementation to recent revision. Oct 25, 2018
alg-yescrypt-common.c Rename 'encrypt()' to 'yescrypt_sha256_cipher()'. Nov 1, 2018
alg-yescrypt-opt.c Add annotations for Coverity Scan. Nov 9, 2018
alg-yescrypt-platform.c Drop code under #if HAVE_POSIX_MEMALIGN. Nov 1, 2018
alg-yescrypt-sysendian.h Use sha512 implementation from Colin Percival. Oct 22, 2018
alg-yescrypt.h Add gost-yescrypt backend and tests. Oct 28, 2018
bootstrap Add bootstrap script. Oct 18, 2018
byteorder.h Make a pass updating copyright and authorship notices. Oct 5, 2017
configure.ac Bump tarball version to 4.3.5 and update NEWS. Nov 14, 2018
crypt-bcrypt.c Remove the gensalt function for the bcrypt x variant ($2x$). Nov 11, 2018
crypt-common.c Move helper functions into 'crypt-common.c'. Nov 3, 2018
crypt-des-obsolete.c Make XCRYPT_SECURE_MEMSET() syntactically a normal expression. Jul 11, 2018
crypt-des.c Remove 'crypt-private.h' and merge it into 'crypt-port.h'. Nov 3, 2018
crypt-gensalt-static.c Add aliases for xcrypt{,_r} and xcrypt_gensalt{,_r}. Nov 14, 2018
crypt-gensalt.c Remove 'crypt-private.h' and merge it into 'crypt-port.h'. Nov 3, 2018
crypt-gost-yescrypt.c Remove 'crypt-private.h' and merge it into 'crypt-port.h'. Nov 3, 2018
crypt-md5.c Remove 'crypt-private.h' and merge it into 'crypt-port.h'. Nov 3, 2018
crypt-nthash.c nthash: The output buffer for gensalt must be at least 30 bytes long. Nov 11, 2018
crypt-obsolete.h Remove all of the nonnull annotations. (Fixes #41) Oct 29, 2018
crypt-pbkdf1-sha1.c Remove 'crypt-private.h' and merge it into 'crypt-port.h'. Nov 3, 2018
crypt-port.h Fix prototypes for 'crypt-common.c'. Nov 3, 2018
crypt-scrypt.c Remove 'crypt-private.h' and merge it into 'crypt-port.h'. Nov 3, 2018
crypt-sha256.c Remove 'crypt-private.h' and merge it into 'crypt-port.h'. Nov 3, 2018
crypt-sha512.c Remove 'crypt-private.h' and merge it into 'crypt-port.h'. Nov 3, 2018
crypt-static.c Add aliases for xcrypt{,_r} and xcrypt_gensalt{,_r}. Nov 14, 2018
crypt-sunmd5.c Remove 'crypt-private.h' and merge it into 'crypt-port.h'. Nov 3, 2018
crypt-yescrypt.c Remove 'crypt-private.h' and merge it into 'crypt-port.h'. Nov 3, 2018
crypt.3 Convert existing manpages to BSD mdoc format. Oct 18, 2018
crypt.5 Rename all hash methods to match naming in John the Ripper. Oct 29, 2018
crypt.c Add aliases for xcrypt{,_r} and xcrypt_gensalt{,_r}. Nov 14, 2018
crypt.h.in.in Add aliases for xcrypt{,_r} and xcrypt_gensalt{,_r}. Nov 14, 2018
crypt_checksalt.3 Implement crypt_checksalt. Nov 9, 2018
crypt_gensalt.3 Convert existing manpages to BSD mdoc format. Oct 18, 2018
crypt_gensalt_ra.3 Swap crypt.3 with crypt_rn.3; add crypt_gensalt_r[an].c Sep 5, 2018
crypt_gensalt_rn.3 Swap crypt.3 with crypt_rn.3; add crypt_gensalt_r[an].c Sep 5, 2018
crypt_r.3 Swap crypt.3 with crypt_rn.3; add crypt_gensalt_r[an].c Sep 5, 2018
crypt_ra.3 Swap crypt.3 with crypt_rn.3; add crypt_gensalt_r[an].c Sep 5, 2018
crypt_rn.3 Swap crypt.3 with crypt_rn.3; add crypt_gensalt_r[an].c Sep 5, 2018
gen-crypt-h.awk Remove all of the nonnull annotations. (Fixes #41) Oct 29, 2018
gen-des-tables.c Check in alg-des-tables.c, don't run gen-des-tables at build time. Jul 5, 2018
gen-hashes.awk Add 'fedora' to the groups of hashing methods. Nov 14, 2018
gen-map.awk Extend --enable-obsolete-api configure option Jul 13, 2018
gen-vers.awk Implement crypt_checksalt. Nov 9, 2018
hashes.lst Add 'fedora' to the groups of hashing methods. Nov 14, 2018
libcrypt.map.in Add aliases for xcrypt{,_r} and xcrypt_gensalt{,_r}. Nov 14, 2018
libcrypt.minver Fix several test failures on x86-64 with -m32. Jul 13, 2018
libxcrypt.pc.in Add pkgconfig file Oct 16, 2017
randombytes.c Remove 'crypt-private.h' and merge it into 'crypt-port.h'. Nov 3, 2018
sel-hashes.awk Add 'fedora' to the groups of hashing methods. Nov 14, 2018
test-alg-des.c Rename all hash methods to match naming in John the Ripper. Oct 29, 2018
test-alg-gost3411-2012-hmac.c Add gost-yescrypt backend and tests. Oct 28, 2018
test-alg-gost3411-2012.c Add 512 Bit test vectors for GOST-34.11-2012. Oct 28, 2018
test-alg-hmac-sha1.c Rename all hash methods to match naming in John the Ripper. Oct 29, 2018
test-alg-md4.c Rename all hash methods to match naming in John the Ripper. Oct 29, 2018
test-alg-md5.c Rename all hash methods to match naming in John the Ripper. Oct 29, 2018
test-alg-pbkdf-hmac-sha256.c Add gost-yescrypt backend and tests. Oct 28, 2018
test-alg-sha1.c Rename all hash methods to match naming in John the Ripper. Oct 29, 2018
test-alg-sha256.c Rename all hash methods to match naming in John the Ripper. Oct 29, 2018
test-alg-sha512.c Rename all hash methods to match naming in John the Ripper. Oct 29, 2018
test-badsalt.c Make bcrypt variants independently configurable. Nov 10, 2018
test-badsetting.c Remove the gensalt function for the bcrypt x variant ($2x$). Nov 11, 2018
test-byteorder.c Use ARRAY_SIZE instead of open-coding it in every use case Jun 30, 2018
test-checksalt.c Remove the gensalt function for the bcrypt x variant ($2x$). Nov 11, 2018
test-compile-strong-alias.c Darwin doesn't support strong aliases. (Fixes #43) Oct 31, 2018
test-crypt-badargs.c Make bcrypt variants independently configurable. Nov 10, 2018
test-crypt-bcrypt.c Skip test-crypt-bcrypt, if no bcrypt method was enabled. Nov 14, 2018
test-crypt-des.c Fix bigcrypt rejecting its own valid output for short phrases. Oct 30, 2018
test-crypt-gost-yescrypt.c Remove 'GOST3411_ALIGN'. Nov 3, 2018
test-crypt-md5.c Rename all hash methods to match naming in John the Ripper. Oct 29, 2018
test-crypt-nthash.c Rename all hash methods to match naming in John the Ripper. Oct 29, 2018
test-crypt-pbkdf1-sha1.c Rename all hash methods to match naming in John the Ripper. Oct 29, 2018
test-crypt-scrypt.c Include crypt.h from crypt-port.h. Oct 21, 2018
test-crypt-sha256.c Rename all hash methods to match naming in John the Ripper. Oct 29, 2018
test-crypt-sha512.c Rename all hash methods to match naming in John the Ripper. Oct 29, 2018
test-crypt-sunmd5.c Include crypt.h from crypt-port.h. Oct 21, 2018
test-crypt-yescrypt.c yescrypt: Add more tests. Oct 24, 2018
test-des-cases.h Use ARRAY_SIZE instead of open-coding it in every use case Jun 30, 2018
test-des-obsolete.c Include crypt.h from crypt-port.h. Oct 21, 2018
test-des-obsolete_r.c Include crypt.h from crypt-port.h. Oct 21, 2018
test-gensalt-extradata.c Remove the gensalt function for the bcrypt x variant ($2x$). Nov 11, 2018
test-gensalt.c Remove the gensalt function for the bcrypt x variant ($2x$). Nov 11, 2018
test-getrandom-fallbacks.c Remove 'crypt-private.h' and merge it into 'crypt-port.h'. Nov 3, 2018
test-getrandom-interface.c Remove 'crypt-private.h' and merge it into 'crypt-port.h'. Nov 3, 2018
test-short-outbuf.c Update AUTHORS and LICENSING. Oct 28, 2018
test-symbols-compat.sh Use valgrind memcheck if available to test for memory leaks. Aug 2, 2018
test-symbols-renames.sh Use valgrind memcheck if available to test for memory leaks. Aug 2, 2018
test-symbols-static.sh Use valgrind memcheck if available to test for memory leaks. Aug 2, 2018
xcrypt.h Add aliases for xcrypt{,_r} and xcrypt_gensalt{,_r}. Nov 14, 2018

README.md

Build Status codecov Coverity Scan Build Status

README for libxcrypt

libxcrypt is a modern library for one-way hashing of passwords. It supports a wide variety of both modern and historical hashing methods: yescrypt, gost-yescrypt, scrypt, bcrypt, sha512crypt, sha256crypt, md5crypt, SunMD5, sha1crypt, NT, bsdicrypt, bigcrypt, and descrypt. It provides the traditional Unix crypt and crypt_r interfaces, as well as a set of extended interfaces pioneered by Openwall Linux, crypt_rn, crypt_ra, crypt_gensalt, crypt_gensalt_rn, and crypt_gensalt_ra.

libxcrypt is intended to be used by login(1), passwd(1), and other similar programs; that is, to hash a small number of passwords during an interactive authentication dialogue with a human. It is not suitable for use in bulk password-cracking applications, or in any other situation where speed is more important than careful handling of sensitive data. However, it is intended to be fast and lightweight enough for use in servers that must field thousands of login attempts per minute.

Authorship and Licensing

libxcrypt is currently maintained by Björn Esser and Zack Weinberg. Many people have contributed to the code making up libxcrypt, often under the aegis of a different project. Please see the AUTHORS and THANKS files for a full set of credits.

libxcrypt as a whole is licensed under the GNU Lesser General Public License (version 2.1, or at your option, any later version). However, many individual files may be reused under more permissive licenses if separated from the library. Please see the LICENSING file for a comprehensive inventory of licenses, and COPYING.LIB for the terms of the LGPL.

Bug Reports, Feature Requests, Contributions, Etc.

libxcrypt is currently maintained at Github: the canonical repository URL is https://github.com/besser82/libxcrypt. Please file bug reports at https://github.com/besser82/libxcrypt/issues. This is also the appropriate place to suggest new features, offer patches, etc. All your feedback is welcome and will eventually receive a response, but this is a spare-time project for all of the present maintainers, so please be patient.

Build Requirements and Instructions

To build from a tarball release, the only tools required are the standard Unix shell environment (including an implementation of AWK) and a C compiler. Follow the generic build and installation instructions in the file INSTALL. There are two package-specific configure switches: --enable-obsolete-api and --enable-hashes. Run ./configure --help for more detail on these options. Run man -l crypt.5 for more detail on the hashing algorithms that can be enabled or disabled by --enable-hashes. You can do both of these things before building the software.

Building from a Git checkout additionally requires the Autotools suite: autoconf, automake, libtool, and pkg-config. Run ./bootstrap at the top level of the source tree, and then follow the instructions in INSTALL (which is created by that command).

The oldest versions of Autotools components that are known to work are: autoconf 2.69, automake 1.14, libtool 2.4.6, pkg-config 0.29. If you test with an older version of one of these and find that it works, please let us know. We are not deliberately requiring newer versions; we just can’t conveniently test older versions ourselves.

Portability Notes

libxcrypt should be buildable with any ISO C1999-compliant C compiler, with one critical exception: the symbol versioning macros in crypt-port.h only work with compilers that implement certain GCC and GNU Binutils extensions (__attribute__((alias)), GCC-style asm, and .symver).

A few C2011 features are used; the intention is not to use any of them without a fallback, but we do not currently test this. A few POSIX and nonstandard-but-widespread Unix APIs are also used; again, the intention is not to use any of them without a fallback, but we do not currently test this. In particular, the crypt_gensalt functions may not always be able to retrieve cryptographically-sound random numbers from the operating system; if you call these functions with a null pointer for the “rbytes” argument, be prepared for them to fail.

As of mid-2018, GCC and LLVM don’t support link-time optimization of libraries that use symbol versioning. If you build libxcrypt with either of these compilers, do not use -flto. See GCC bug 48200 for specifics; the problem is very similar for LLVM. Because this is, at its root, a set of missing compiler features, we expect link-time optimization won’t work in other C compilers either, but we haven’t tested it ourselves.

Compatibility Notes

On Linux-based systems, by default libxcrypt will be binary backward compatible with the libcrypt.so.1 shipped as part of the GNU C Library. This means that all existing binary executables linked against glibc’s libcrypt should work unmodified with this library’s libcrypt.so.1. We have taken pains to provide exactly the same symbol versions as were used by glibc on various CPU architectures, and to account for the variety of ways in which the Openwall extensions were patched into glibc’s libcrypt by some Linux distributions. (For instance, compatibility symlinks for SUSE’s “libowcrypt” are provided.)

However, the converse is not true: programs linked against libxcrypt will not work with glibc’s libcrypt. Also, programs that use certain legacy APIs supplied by glibc’s libcrypt (encrypt, encrypt_r, setkey, setkey_r, and fcrypt) cannot be compiled against libxcrypt.

Binary backward compatibility can be disabled by supplying the --disable-obsolete-api switch to configure, in which case libxcrypt will install libcrypt.so.2 instead of libcrypt.so.1. This configuration is always used on all operating systems other than Linux. We are willing to consider adding binary backward compatibility for other operating systems’ existing libcrypts, but we don’t currently plan to do that work ourselves.

Individual hash functions may be enabled or disabled by use of the --enable-hashes switch to configure. The default is to enable all supported hashes. Disabling the traditional ‘des’ hash algorithm implies --disable-obsolete-api. Security-conscious environments without backward compatibility constraints are encouraged to use --enable-hashes=strong, which enables only the hash functions that are strong enough to be safe for newly hashed passwords.

The original implementation of the SunMD5 hashing algorithm has a bug, which is mimicked by libxcrypt to be fully compatible with hashes generated on (Open)Solaris. According to the only existing documentation of this algorithm, its hashes were supposed to have the format $md5[,rounds=%u]$<salt>$<checksum>, and include only the bare string $md5[,rounds=%u]$<salt> in the salt digest step. However, almost all hashes encountered in production environments have the format $md5[,rounds=%u]$<salt>$$<checksum> (note the double $$). Unfortunately, it is not merely a cosmetic difference: hashes of this format incorporate the first $ after the salt within the salt digest step, so the resulting checksum is different. The documentation hints that this stems from a bug within the production implementation’s parser. This bug causes the implementation to return $$-format hashes when passed a configuration string that ends with $. It returns the intended original format and checksum only if there is at least one letter after the $, e.g. $md5[,rounds=%u]$<salt>$x.

The NT algorithm, in its original implementation, never came with any gensalt function, because the algorithm does not use any. libxcrypt ships a bogus gensalt function for the NT algorithm, which simply returns $3$__not_used__XXXXXXXXXXXXXX, where the Xs stand for some more or less random salt. There is no difference in the resulting hash returned by the crypt function, whether using one of the hashes returned by gensalt or simply using $3$ as a setting for hashing a password with NT.

glibc’s libcrypt could optionally be configured to use Mozilla’s NSS library’s implementations of the cryptographic primitives md5crypt, sha256crypt, and sha512crypt. This option is not available in libxcrypt, because we do not currently believe it is a desirable option. The stated rationale for the option was to source all cryptographic primitives from a library that has undergone FIPS certification, but we believe FIPS certification would need to cover all of libxcrypt itself to have any meaningful value. Moreover, the strongest hashing methods, yescrypt and bcrypt, use cryptographic primitives that are not available from NSS, so the certification would not cover any part of what will hopefully be the most used code paths.