1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
278
279
280
281
282
283
284
285
286
287
288
289
290
291
292
293
294
295
296
297
298
299
300
301
302
303
304
305
306
307
308
309
310
311
312
313
314
315
316
317
318
319
320
321
322
323
324
325
326
327
328
329
330
331
332
333
334
335
336
337
338
339
340
341
342
343
344
345
346
347
348
349
350
351
352
353
354
355
356
357
358
359
360
361
362
363
364
365
366
367
368
369
370
371
372
373
374
375
376
377
378
379
380
381
382
383
384
385
386
387
388
389
390
391
392
393
394
395
396
397
398
399
400
401
402
403
404
405
406
407
408
409
410
411
412
413
414
415
416
417
418
419
420
421
422
423
424
425
426
427
428
429
430
431
432
433
434
435
436
437
438
439
440
441
442
443
444
445
446
447
448
449
450
451
452
453
454
455
456
457
458
459
460
461
462
463
464
465
466
467
468
469
470
471
472
473
474
475
476
477
478
479
480
481
482
483
484
485
486
487
488
489
490
491
492
493
494
495
496
497
498
499
500
501
502
503
504
505
506
507
508
509
510
511
512
513
514
515
516
517
518
519
520
|
libxcrypt NEWS -- history of user-visible changes.
Please send bug reports, questions and suggestions to
<https://github.com/besser82/libxcrypt/issues>.
Version 4.4.25
Version 4.4.24
* Add hash group for Debian in lib/hashes.conf.
Debian has switched to use the yescrypt hashing algorithm as
the default for new user passwords, so we should add a group
for this distribution.
* Overhaul the badsalt test.
Test patterns are now mostly generated rather than manually coded
into a big table. Not reading past the end of the “setting” part
of the string is tested more thoroughly (this would have caught the
sunmd5 $$ bug if it had been available at the time).
Test logs are tidier.
* Add ‘test-programs’ utility target to Makefile.
It is sometimes useful to compile all the test programs but not run
them. Add a Makefile target that does this.
* Fix incorrect bcrypt-related ifdeffage in test/badsalt.c.
The four variants of bcrypt are independently configurable, but the
badsalt tests for them were all being toggled by INCLUDE_bcrypt,
which is only the macro for the $2b$ variant.
* Fix bigcrypt-related test cases in test/badsalt.c.
The test spec was only correct when both or neither of bigcrypt and
descrypt were enabled.
* Detect ASan in configure and disable incompatible tests.
ASan’s “interceptors” for crypt and crypt_r have a semantic conflict
with libxcrypt, requiring a few tests to be disabled for builds with
-fsanitize-address. See commentary in test/crypt-badargs.c for an
explanation of the conflict, and the commentary in
build-aux/zw_detect_asan.m4 for why a configure test is required.
* Fix several issues found by Covscan in the testsuite. These include:
- CWE-170: String not null terminated (STRING_NULL)
- CWE-188: Reliance on integer endianness (INCOMPATIBLE_CAST)
- CWE-190: Unintentional integer overflow (OVERFLOW_BEFORE_WIDEN)
- CWE-569: Wrong sizeof argument (SIZEOF_MISMATCH)
- CWE-573: Missing varargs init or cleanup (VARARGS)
- CWE-687: Argument cannot be negative (NEGATIVE_RETURNS)
Version 4.4.23
* Fix output calculation for gensalt_yescrypt_rn().
* Fix -Werror=conversion in lib/crypt-des-obsolete.c,
test/des-obsolete.c, and test/des-obsolete_r.c.
Version 4.4.22
* The crypt_checksalt() function has been fixed to correctly return
with 'CRYPT_SALT_INVALID', in case the setting, that is passed
to be checked, represents an empty passphrase or an uncomputed
setting for descrypt without any salt characters.
Version 4.4.21
* The crypt_checksalt() function will now return the value
'CRYPT_SALT_METHOD_LEGACY' in case the setting, that is passed
to be checked, uses a hashing method, which is considered to be
too weak for use with new passphrases.
Version 4.4.20
* Fix build when the CFLAGS variable, that is passed into the
configure script, has a leading whitespace character in it
(issue #123).
Version 4.4.19
* Improve fallback implementation of explicit_bzero.
* Add glibc-on-CSKY, ARC, and RISCV-32 entries to libcrypt.minver.
These were added in GNU libc 2.29, 2.32, and 2.33 respectively
(issue #122).
* Do not build xcrypt.h if we’re not going to install it.
* Do not apply --enable-obsolete-api-enosys mode to fcrypt.
* Compilation fix for NetBSD. NetBSD’s <unistd.h> declares encrypt
and setkey to return int, contrary to POSIX (which says they return
void). Rename those declarations out of the way with macros.
* Compilation fixes for building with GCC 11.
Basically fixes for explicit type-casting.
* Force update of existing symlinks during installation (issue #120).
Version 4.4.18
* Fix compilation errors on (Free)BSD (issue #110).
* Fix conversion error in lib/alg-gost3411-core.c, which is seen by
some sensitive compilers.
* Convert build scripts to Perl.
The minimum version of Perl required is 5.14.
Version 4.4.17
* Fix compilation error in 'alignas (type)' with older versions
of glibc and/or gcc (issue #107).
* Salt string compatibility with generic implementations (issue #105).
All other existing implementations of the md5crypt, sha256crypt,
and sha512crypt hashing methods allow any ASCII character to be
present in the salt string.
We changed our implementation of these hash methods to be compliant
with the general behaviour, except for the colon ':' character,
which serves a special purpose in the Unix shadow file, and the
newline '\n' character, since all parameters of the user data must
be on the same line within the Unix shadow file.
* Fix for GCC 10.2 on s390x.
Version 4.4.16
* Add support for the e2k architecture.
Version 4.4.15
* The compatibility symbols crypt_gensalt_r, xcrypt, xcrypt_r,
xcrypt_gensalt, and xcrypt_gensalt_r are deprecated further.
(These are alternative names for crypt_gensalt_rn, crypt, crypt_r,
crypt_gensalt, and crypt_gensalt_rn, respectively; there is no
difference in behavior.)
In an --enable-xcrypt-compat-files configuration, newly compiled
programs can still use functions with these names if they include
xcrypt.h, but a program that attempts to use one of these functions
*without* including xcrypt.h will fail to link. In particular, this
means AC_CHECK_FUNCS([xcrypt]) will not detect xcrypt, because the
test program generated by AC_CHECK_FUNCS does not include xcrypt.h.
In a --disable-xcrypt-compat-files --enable-obsolete-api
configuration, xcrypt.h is not installed and newly compiled programs
cannot use functions with these names, but existing binaries that
expect to find these symbols in a shared libcrypt.so.1 will still
work.
In a --disable-obsolete-api configuration, these symbols are not
defined at all; moreover, --disable-obsolete-api now implies
--disable-xcrypt-compat-files (which means xcrypt.h isn't installed).
Version 4.4.14
* Renamed bootstrap script: 'bootstrap' -> 'autogen.sh'.
If building from a Git checkout instead of a tarball release,
use './autogen.sh' to create the configure script.
Version 4.4.13
* libxcrypt now builds (including working tests) on Mac OSX.
* Speed up ka-sunmd5 by skipping most of the test phrases.
ka-sunmd5 is slower than the entire rest of the testsuite put
together, because the sunmd5 hash is Just That Slow and we have to do
extra tests for it to ensure bug-compatibility. No easy optimizations
are possible and the difficult optimizations are not worth the
engineering effort for this obsolete hash. Instead, skip most of the
test phrases. See comments in test/ka-table-gen.py!h_sunmd5 for
further explanation.
Version 4.4.12
* Another fix for GCC v10.x, which occurs on s390 architectures only.
Version 4.4.11
* Fixes for GCC v10.x (issue #95).
* Change how the known-answer tests are parallelized.
Version 4.4.10
* Fix ordering of hash methods in crypt-hashes.h when generated
using gawk < 4.1.0.
Version 4.4.9
* Fix false positive finding from CovScan.
Version 4.4.8
* Add binary compatibility for GNU/Hurd and GNU/kFreeBSD.
Version 4.4.7
* LICENSING: Add missing files and update license information.
* Fix -Wformat in test/crypt-kat.c.
Version 4.4.6
* Make unalignment test really unaligned.
Version 4.4.5
* Fix alignment problem for GOST 34.11 (Streebog) in gost-yestcrypt.
Some architectures in some circumstances do not allow unaligned
memory access (such as ARM, MIPS, SPARC) triggering SIGBUS. This
patch very crudely fixes this issue.
Being unfixed this would trigger SIGBUS when password buffer is
unaligned. Crash and fix are tested on UltraSparc T5 on GCC Compile
farm.
Version 4.4.4
* The crypt_* functions will now all fail and set errno to ERANGE if
their 'phrase' argument is longer than CRYPT_MAX_PASSPHRASE_SIZE
characters (this is currently 512). Formerly, longer passphrases
would either be silently accepted, silently truncated, or the
library would crash, depending on the hashing method.
* The NT hashing method no longer truncates passphrases at 128
characters; Windows does not do this. (The Windows login dialog
_limits_ interactively entered passphrases to 127 characters.
Passphrases set via the low-level API can be longer.)
Version 4.4.3
* Fix the value of SUNMD5_MAX_ROUNDS.
* Add generated C++-guards to <xcrypt.h>.
* Add --enable-obsolete-api-enosys configure option.
If enabled, this option replaces the obsolete APIs (fcrypt,
encrypt{,_r}, and setkey{,_r}) with stubs that set errno to
ENOSYS and return without performing any real operations.
This allows one to disable DEScrypt support while preserving
POSIX compliance.
For security reasons, the encrypt{,r} functions will also
overwrite their data-block argument with random bits.
The fcrypt function will always produce a failure token
(*0 or *1), unless the library was also configured with
--disable-failure-tokens, in which case it will always
return NULL.
Version 4.4.2
* Add test-alg-yescrypt for improved coverage.
* Add x32 specific inline asm.
Version 4.4.1
* Change the output of the gensalt function for the NT hashing method
($3$) to output just its prefix ($3$) instead of a fake salt.
The output buffer for the returned string must be at least 4 bytes
long.
* Decrase the minimum required amount of random bytes for the NT
hashing method to 1 byte, which is actually not used.
* The default linker flags now generate binaries with full read-only
relocations (including full read-only re-mapping of the GOT), if
supported by the linker and the system's native binary format.
Version 4.4.0
* Implement the crypt_preferred_method function.
This function can be used as a convenience function to get the prefix
of the preferred hash method.
Version 4.3.4
* --enable-hashes now supports 'fedora' as a group of hashing methods.
* Add aliases for xcrypt{,_r} and xcrypt_gensalt{,_r}.
They were added for code compatibility with libxcrypt v3.1.1
and earlier.
* Install the <xcrypt.h> header file, declaring the previously named
aliases, and a symlink from libxcrypt.so to libcrypt.so, if a shared
library is build. For static libraries a corresponding symlink for
the archive file will be installed.
The installation of the compatibility files can be disabled by
passing the '--disable-xcrypt-compat-files' flag to the configure
script.
* Replace the prototype for the crypt_gensalt_r function with a
declaration through a macro, so new compiled applications link
against the identical crypt_gensalt_rn function directly.
Version 4.3.3
* Add an alias for crypt_gensalt_r.
The function was available in older versions (v3.1.1 and earlier)
of libxcrypt. It has the same semantics and the same prototype as
the crypt_gensalt_rn function.
Version 4.3.2
* Fix the gensalt function for the NT hashing method ($3$) to
properly terminate its output string. The output buffer for the
returned string must be at least 30 bytes long.
* Remove the gensalt function for the bcrypt x variant ($2x$).
This prefix was never intended for use when hashing new passphrases.
The only use case originally intended was to manually edit '$2a$' to
'$2x$' in passphrase hashes to knowingly take the risk yet enable
users to continue to log in when upgrading systems with buggy bcrypt
implementations to fixed versions.
Version 4.3.1
* Reduce the number of methods that can be the default for new hashes.
We don’t want to accidentally encourage use of gost-yescrypt,
scrypt, or the bug-compatibility bcrypt variants by people who do
not have a specific need for them.
* sha256crypt ($5$) is not considered to be strong anymore. Thus
it was dropped from the STRONG and DEFAULT sets.
* The four variants of bcrypt ($2b$, $2a$, $2y$, $2x$) are now
independently selectable at configure time. The $2x$ variant has
been dropped from the STRONG set, because it has a severe bug
causing it to be easy to find collisions for some passwords. The
$2x$ and $2y$ variants have been dropped from the FreeBSD, NetBSD,
OpenBSD, and Solaris compatibility sets, because those operating
systems never supported those variants.
Version 4.3.0
* Implement the gost-yescrypt ($gy$) hashing algorithm.
* Remove all of the nonnull annotations, which are a questionable
optimization that have caused problems in the past and may cause
future problems on some systems.
* Rename all hash methods to match naming in John the Ripper.
* Make the configure switches --enable-obsolete-api and
--enable-hashes process their arguments case-insensitively; for
instance, "--enable-hashes=OpenBSD" and "--enable-hashes=openbsd"
are now understood as synonymous.
* Fix gensalt for bigcrypt if descrypt hash method is not selected
at compile time.
* Fix the bigcrypt hash method to reject too short settings and/or
descrypt hashes with a truncated phrase. Hashes with a setting
shorter than 13 characters and phrases shorter than 8 characters
are valid bigcrypt hashes, although they are identical with the
output generated by descrypt under the same conditions.
This only applies when the descrypt hash method is not selected
at compile time.
* Implement crypt_checksalt, which can be used by portable users of
libxcrypt to check whether the desired hash method is supported.
* Make a default prefix available whenever at least one strong hash
is enabled.
* Fix the definition of 'CRYPT_GENSALT_IMPLEMENTS_DEFAULT_PREFIX'
to reflect whether the default prefix is available or not.
Version 4.2.3
* Add bootstrap script. If building from a Git checkout instead of a
tarball release, use './bootstrap' to create the configure script.
* Use sha512 implementation from Colin Percival. Thus we now have a
sha512 implementation under the BSD license.
* Use md5 implementation from Alexander Peslyak. Thus we now have a
md5 implementation in the public domain.
* 'make dist' now generates bzip2 and xz compressed tarballs along
with the default gzip compressed tarball.
* The group 'altlinux' has been renamed to 'alt' in --enable-hashes,
as the ALTLINUX distribution has been rebranded to ALT some time ago.
* New tagged versions are automatically submitted for Coverity Scan:
https://scan.coverity.com/projects/besser82-libxcrypt
Version 4.2.2
* Convert existing manpages to BSD mdoc format.
Version 4.2.1
* Fix tests for yescrypt and scrypt, when failure-tokens have been
disabled.
Version 4.2.0
* Implement yescrypt ($y$) and scrypt ($7$) hashing algorithms.
* For scrypt the implemented gensalt function ensures every new hash
is computed using at least 32 MiBytes of RAM.
* yescrypt is the new default method used for new hashes.
* --enable-hashes now supports additional groups of hashing methods:
'altlinux', 'owl', and 'suse', which select the methods historically
supported on those operating systems.
* Added 'XCRYPT_VERSION_*' macros.
Version 4.1.2
* Add optional 'check-valgrind' target to the Makefile.
* Replace crypt-sha{256,512}.c with an implementation in the Public
Domain.
* Add alias man-pages for other crypt functions.
* Add configure option --disable-failure-tokens, which causes crypt
and crypt_r to return NULL on failure, as crypt_rn and crypt_ra do,
instead of a special "failure token". Using this option improves
compatibility with programs written on the assumption that, like
most C library functions, crypt and crypt_r will return NULL on
failure; but it breaks compatibility with programs that assume these
functions never return NULL. We're not sure which type of program
is more common. Please let us know if you encounter either.
* Improved handling of out-of-range cost parameters in gensalt.
The behavior is now:
- for hashes with a fixed cost parameter (DES/trad, DES/big, NTHASH,
MD5/bsd), crypt_gensalt only accepts 0 as the rounds argument.
- for hashes with a linear cost parameter (DES/bsdi, MD5/sun, SHA1,
SHA256, SHA512), crypt_gensalt accepts 0 or any value in the range
[1, ULONG_MAX] and clips it to the actual valid range for the hash
function, if necessary. In the case of DES/bsdi, even numbers
become odd, as well.
- for hashes with an exponential cost parameter (bcrypt),
crypt_gensalt only accepts 0 or a value in the actual valid range.
- the documented valid range for SHA1 is now [4, 4294967295] instead
of [1, 4294967295].
- all of this is tested.
Version 4.1.1
* --enable-hashes now supports additional groups of hashing methods:
'freebsd', 'netbsd', 'openbsd', 'osx', and 'solaris', which select
the hashes historically supported on those operating systems.
* Predictable behavior when arguments to crypt() are NULL or invalid
(issue #15).
* Hash formats $5, $6, and $md5 once again allow an explicit rounds
parameter specifying the default number of rounds (issue #16).
* The library no longer uses swapcontext(), for ease of debugging and
better compatibility with hardening mechanisms like Intel CET
(issue #18).
* Can now be built with versions of GNU ld older than 2.26.2.
* crypt_gensalt_ra no longer leaks memory on failure.
Version 4.1.0
* Fix spelling of SUSE.
* Lower the minimum required automake version to 1.14.
* Fix build with USE_SWAPCONTEXT turned off.
* Extend --enable-weak-hashes configure option to accept optional
"glibc" parameter. When specified, it enables only those of
weak hashes that are supported by historic versions of the
GNU libc.
* Fix the leak of obtained random bytes.
* Check expected output strings for deterministic methods.
* Fix memory leak in crypt_sha1crypt_rn.
* Fix read of random bytes out of bounds in gensalt_sha1crypt_rn.
* Make it possible to disable individual hashes at configure time.
The default is --enable-hashes=all. --enable-hashes=strong is the
equivalent of the old --disable-weak-hashes. You could even do
--enable-hashes=bcrypt,des to get a binary-compatible libcrypt.so.1
that still supports almost nothing other than bcrypt.
* Make salt validation pickier.
* Replace crypt-sunmd5.c with BSD-licensed cleanroom reimplementation.
* Make crypt_gensalt for $sha1 deterministic.
* Fix incorrect output-size computation in crypt_sha1crypt_rn.
* Add docs for SHA1, MD5/Sun, NTHASH.
* Introduce CRYPT_GENSALT_IMPLEMENTS_* feature test macros.
* Install libcrypt.pc symlink along with libxcrypt.pc.
* Extend --enable-obsolete-api configure option.
Make vendor specific parts of compatibility ABI that are enabled by
--enable-obsolete-api option configurable.
This allows vendors to enable only those parts of compatibility ABI
that are relevant to them.
* Extend overall test coverage.
Version 4.0.1
* Fixes for GCC v8.x
* Add symbol version for riscv64
* Fixed an uninitialized value in test-crypt-badsalt
Version 4.0.0
* Full binary backward compatibility with glibc libcrypt; all programs
compiled with glibc libcrypt, including vendor-patched versions that
include the Openwall extensions, should work with this libcrypt
(however, programs compiled against this libcrypt will NOT work with
glibc libcrypt).
* struct crypt_data is now only 32kB (from 128kB), and divided into a
public-API section and a properly opaque internal section.
* New feature: supplying a null pointer as the "prefix" argument to
any of the crypt_gencrypt functions will cause it to select the best
available hash function (in this release, bcrypt in mode 'a').
CAUTION: it must be a null pointer, not an empty string. If you
supply an empty string, that selects DES, which is the *worst*
available hash function.
* New feature: supplying a null pointer as the "rbytes" argument to
any of the crypt_gencrypt functions will cause it to acquire random
bytes from the operating system.
* The legacy functions bigcrypt, fcrypt, encrypt, encrypt_r,
setkey, and setkey_r are no longer available for use by new programs.
All of these (except fcrypt, which was just another name for crypt)
force the use of DES, which is no longer safe for any application.
* New configure option --disable-obsolete-api removes the above
functions from the library. Since this breaks compatibility with
glibc's libcrypt, when this option is used the shared library will
be libcrypt.so.2 instead of libcrypt.so.1, and all of the
compatibility symbol versions for the crypt* functions will be
omitted. This option is the default on all operating systems where
there is no GNU C Library to be compatible with.
* New configure option --disable-weak-hashes removes all support for
DES and MD5 hashes from the library. This option implies
--disable-obsolete-api, and will prevent DES and MD5 password hashes
from being *verified* -- accounts with such hashes are effectively
locked. It is intended for use in high-security new installations.
* Sensitive intermediate data is now thoroughly scrubbed from the
stack and CPU registers before the crypt functions return to their
callers.
* UFC-crypt has been replaced with FreeSec; this enables the reduction in
size of crypt_data, and adds full support for BSD extended DES hashes.
* Extensive code cleanup and portability work. The static library
should now be buildable with any C99 compiler, although some
features may not be available (notably acquiring random bytes from
the operating system and scrubbing the stack). The shared library
does still require some GNU extensions for symbol versioning.
* The configure options --enable-Wno-cast-align and --enable-bootstrap
are no longer necessary and have been removed.
* If building from a Git checkout instead of a tarball release, use
'autoreconf -i' to create the configure script; autogen.sh has been
removed.
* More thoroughly tested.
Version 3.1.1
* Add '--enable-Wno-cast-align' to silence 'cast increases required alignment'
* Whitespace clean-up
Version 3.1.0
* Update upstream-contact
* Add './configure --enable-bootstrap' to skip some tests on initial build
* Add bootstrap-script for Autotools
* Add LICENSE for bcrypt
* Update crypt_blowfish to v1.3
* Add '-Wextra' to CFLAGS
* Fix warnings generated by gcc 5.1.1
* Update Autotools
Version 3.0.4
* Fix warnings generated by gcc 4.6
Version 3.0.3
* Fix memory leak
* Fix compiler warnings
Version 3.0.2
* Fix generating salts for MD5
Version 3.0.1
* Fix build failures
Version 3.0
* Add sha256 and sha512 hashes
* Move all hashes into plugins
Version 2.4
* Sync with crypt_blowfish 1.0
Version 2.3
* Fix problems with gcc > 4.0
Version 2.2
* Fix realloc call in md5-crypt
Version 2.1
* Enable x86.S for i386 again
Version 2.0
* Rename all crypt* functions to xcrypt* to avoid clash with normal
libcrypt from glibc
Version 1.4
* Fix compiling with glibc > 2.3.1
* Sync with crypt_blowfish 0.4.5
Version 1.3
* Sync with current glibc CVS (fix for not correct initialication of
internal data structs)
Version 1.2
* Fix building with glibc 2.3.x
* Add support for HPPA
Version 1.1
* merge md5.h with xcrypt.h
* Add SHA1 functions and crypt
Version 1.0
* First release
|