1libxcrypt NEWS -- history of user-visible changes. 2 3Please send bug reports, questions and suggestions to 4<https://github.com/besser82/libxcrypt/issues>. 5 6Version 4.4.27 7* Limit the maximum amount of rbytes to 64 bytes (512 bits) for 8 yescrypt, gost-yescrypt, and scrypt. Also reflect this limit 9 in the documentation (issue #145). 10 11Version 4.4.26 12* Fix compilation on systems with GCC >= 10, that do not support 13 declarations with __attribute__((symver)). 14 15Version 4.4.25 16* Add support for Python 3.11 in the configure script. 17* Stricter checking of invalid salt characters (issue #135). 18 Hashed passphrases are always entirely printable ASCII, and do 19 not contain any whitespace or the characters ':', ';', '*', '!', 20 or '\'. (These characters are used as delimiters and special 21 markers in the passwd(5) and shadow(5) files.) 22 23Version 4.4.24 24* Add hash group for Debian in lib/hashes.conf. 25 Debian has switched to use the yescrypt hashing algorithm as 26 the default for new user passwords, so we should add a group 27 for this distribution. 28* Overhaul the badsalt test. 29 Test patterns are now mostly generated rather than manually coded 30 into a big table. Not reading past the end of the “setting” part 31 of the string is tested more thoroughly (this would have caught the 32 sunmd5 $$ bug if it had been available at the time). 33 Test logs are tidier. 34* Add ‘test-programs’ utility target to Makefile. 35 It is sometimes useful to compile all the test programs but not run 36 them. Add a Makefile target that does this. 37* Fix incorrect bcrypt-related ifdeffage in test/badsalt.c. 38 The four variants of bcrypt are independently configurable, but the 39 badsalt tests for them were all being toggled by INCLUDE_bcrypt, 40 which is only the macro for the $2b$ variant. 41* Fix bigcrypt-related test cases in test/badsalt.c. 42 The test spec was only correct when both or neither of bigcrypt and 43 descrypt were enabled. 44* Detect ASan in configure and disable incompatible tests. 45 ASan’s “interceptors” for crypt and crypt_r have a semantic conflict 46 with libxcrypt, requiring a few tests to be disabled for builds with 47 -fsanitize-address. See commentary in test/crypt-badargs.c for an 48 explanation of the conflict, and the commentary in 49 build-aux/m4/zw_detect_asan.m4 for why a configure test is required. 50* Fix several issues found by Covscan in the testsuite. These include: 51 - CWE-170: String not null terminated (STRING_NULL) 52 - CWE-188: Reliance on integer endianness (INCOMPATIBLE_CAST) 53 - CWE-190: Unintentional integer overflow (OVERFLOW_BEFORE_WIDEN) 54 - CWE-569: Wrong sizeof argument (SIZEOF_MISMATCH) 55 - CWE-573: Missing varargs init or cleanup (VARARGS) 56 - CWE-687: Argument cannot be negative (NEGATIVE_RETURNS) 57 58Version 4.4.23 59* Fix output calculation for gensalt_yescrypt_rn(). 60* Fix -Werror=conversion in lib/crypt-des-obsolete.c, 61 test/des-obsolete.c, and test/des-obsolete_r.c. 62 63Version 4.4.22 64* The crypt_checksalt() function has been fixed to correctly return 65 with 'CRYPT_SALT_INVALID', in case the setting, that is passed 66 to be checked, represents an empty passphrase or an uncomputed 67 setting for descrypt without any salt characters. 68 69Version 4.4.21 70* The crypt_checksalt() function will now return the value 71 'CRYPT_SALT_METHOD_LEGACY' in case the setting, that is passed 72 to be checked, uses a hashing method, which is considered to be 73 too weak for use with new passphrases. 74 75Version 4.4.20 76* Fix build when the CFLAGS variable, that is passed into the 77 configure script, has a leading whitespace character in it 78 (issue #123). 79 80Version 4.4.19 81* Improve fallback implementation of explicit_bzero. 82* Add glibc-on-CSKY, ARC, and RISCV-32 entries to libcrypt.minver. 83 These were added in GNU libc 2.29, 2.32, and 2.33 respectively 84 (issue #122). 85* Do not build xcrypt.h if we’re not going to install it. 86* Do not apply --enable-obsolete-api-enosys mode to fcrypt. 87* Compilation fix for NetBSD. NetBSD’s <unistd.h> declares encrypt 88 and setkey to return int, contrary to POSIX (which says they return 89 void). Rename those declarations out of the way with macros. 90* Compilation fixes for building with GCC 11. 91 Basically fixes for explicit type-casting. 92* Force update of existing symlinks during installation (issue #120). 93 94Version 4.4.18 95* Fix compilation errors on (Free)BSD (issue #110). 96* Fix conversion error in lib/alg-gost3411-core.c, which is seen by 97 some sensitive compilers. 98* Convert build scripts to Perl. 99 The minimum version of Perl required is 5.14. 100 101Version 4.4.17 102* Fix compilation error in 'alignas (type)' with older versions 103 of glibc and/or gcc (issue #107). 104* Salt string compatibility with generic implementations (issue #105). 105 All other existing implementations of the md5crypt, sha256crypt, 106 and sha512crypt hashing methods allow any ASCII character to be 107 present in the salt string. 108 We changed our implementation of these hash methods to be compliant 109 with the general behaviour, except for the colon ':' character, 110 which serves a special purpose in the Unix shadow file, and the 111 newline '\n' character, since all parameters of the user data must 112 be on the same line within the Unix shadow file. 113* Fix for GCC 10.2 on s390x. 114 115Version 4.4.16 116* Add support for the e2k architecture. 117 118Version 4.4.15 119* The compatibility symbols crypt_gensalt_r, xcrypt, xcrypt_r, 120 xcrypt_gensalt, and xcrypt_gensalt_r are deprecated further. 121 (These are alternative names for crypt_gensalt_rn, crypt, crypt_r, 122 crypt_gensalt, and crypt_gensalt_rn, respectively; there is no 123 difference in behavior.) 124 125 In an --enable-xcrypt-compat-files configuration, newly compiled 126 programs can still use functions with these names if they include 127 xcrypt.h, but a program that attempts to use one of these functions 128 *without* including xcrypt.h will fail to link. In particular, this 129 means AC_CHECK_FUNCS([xcrypt]) will not detect xcrypt, because the 130 test program generated by AC_CHECK_FUNCS does not include xcrypt.h. 131 132 In a --disable-xcrypt-compat-files --enable-obsolete-api 133 configuration, xcrypt.h is not installed and newly compiled programs 134 cannot use functions with these names, but existing binaries that 135 expect to find these symbols in a shared libcrypt.so.1 will still 136 work. 137 138 In a --disable-obsolete-api configuration, these symbols are not 139 defined at all; moreover, --disable-obsolete-api now implies 140 --disable-xcrypt-compat-files (which means xcrypt.h isn't installed). 141 142Version 4.4.14 143* Renamed bootstrap script: 'bootstrap' -> 'autogen.sh'. 144 If building from a Git checkout instead of a tarball release, 145 use './autogen.sh' to create the configure script. 146 147Version 4.4.13 148* libxcrypt now builds (including working tests) on Mac OSX. 149* Speed up ka-sunmd5 by skipping most of the test phrases. 150 ka-sunmd5 is slower than the entire rest of the testsuite put 151 together, because the sunmd5 hash is Just That Slow and we have to do 152 extra tests for it to ensure bug-compatibility. No easy optimizations 153 are possible and the difficult optimizations are not worth the 154 engineering effort for this obsolete hash. Instead, skip most of the 155 test phrases. See comments in test/ka-table-gen.py!h_sunmd5 for 156 further explanation. 157 158Version 4.4.12 159* Another fix for GCC v10.x, which occurs on s390 architectures only. 160 161Version 4.4.11 162* Fixes for GCC v10.x (issue #95). 163* Change how the known-answer tests are parallelized. 164 165Version 4.4.10 166* Fix ordering of hash methods in crypt-hashes.h when generated 167 using gawk < 4.1.0. 168 169Version 4.4.9 170* Fix false positive finding from CovScan. 171 172Version 4.4.8 173* Add binary compatibility for GNU/Hurd and GNU/kFreeBSD. 174 175Version 4.4.7 176* LICENSING: Add missing files and update license information. 177* Fix -Wformat in test/crypt-kat.c. 178 179Version 4.4.6 180* Make unalignment test really unaligned. 181 182Version 4.4.5 183* Fix alignment problem for GOST 34.11 (Streebog) in gost-yestcrypt. 184 Some architectures in some circumstances do not allow unaligned 185 memory access (such as ARM, MIPS, SPARC) triggering SIGBUS. This 186 patch very crudely fixes this issue. 187 Being unfixed this would trigger SIGBUS when password buffer is 188 unaligned. Crash and fix are tested on UltraSparc T5 on GCC Compile 189 farm. 190 191Version 4.4.4 192* The crypt_* functions will now all fail and set errno to ERANGE if 193 their 'phrase' argument is longer than CRYPT_MAX_PASSPHRASE_SIZE 194 characters (this is currently 512). Formerly, longer passphrases 195 would either be silently accepted, silently truncated, or the 196 library would crash, depending on the hashing method. 197* The NT hashing method no longer truncates passphrases at 128 198 characters; Windows does not do this. (The Windows login dialog 199 _limits_ interactively entered passphrases to 127 characters. 200 Passphrases set via the low-level API can be longer.) 201 202Version 4.4.3 203* Fix the value of SUNMD5_MAX_ROUNDS. 204* Add generated C++-guards to <xcrypt.h>. 205* Add --enable-obsolete-api-enosys configure option. 206 If enabled, this option replaces the obsolete APIs (fcrypt, 207 encrypt{,_r}, and setkey{,_r}) with stubs that set errno to 208 ENOSYS and return without performing any real operations. 209 This allows one to disable DEScrypt support while preserving 210 POSIX compliance. 211 For security reasons, the encrypt{,r} functions will also 212 overwrite their data-block argument with random bits. 213 The fcrypt function will always produce a failure token 214 (*0 or *1), unless the library was also configured with 215 --disable-failure-tokens, in which case it will always 216 return NULL. 217 218Version 4.4.2 219* Add test-alg-yescrypt for improved coverage. 220* Add x32 specific inline asm. 221 222Version 4.4.1 223* Change the output of the gensalt function for the NT hashing method 224 ($3$) to output just its prefix ($3$) instead of a fake salt. 225 The output buffer for the returned string must be at least 4 bytes 226 long. 227* Decrase the minimum required amount of random bytes for the NT 228 hashing method to 1 byte, which is actually not used. 229* The default linker flags now generate binaries with full read-only 230 relocations (including full read-only re-mapping of the GOT), if 231 supported by the linker and the system's native binary format. 232 233Version 4.4.0 234* Implement the crypt_preferred_method function. 235 This function can be used as a convenience function to get the prefix 236 of the preferred hash method. 237 238Version 4.3.4 239* --enable-hashes now supports 'fedora' as a group of hashing methods. 240* Add aliases for xcrypt{,_r} and xcrypt_gensalt{,_r}. 241 They were added for code compatibility with libxcrypt v3.1.1 242 and earlier. 243* Install the <xcrypt.h> header file, declaring the previously named 244 aliases, and a symlink from libxcrypt.so to libcrypt.so, if a shared 245 library is build. For static libraries a corresponding symlink for 246 the archive file will be installed. 247 The installation of the compatibility files can be disabled by 248 passing the '--disable-xcrypt-compat-files' flag to the configure 249 script. 250* Replace the prototype for the crypt_gensalt_r function with a 251 declaration through a macro, so new compiled applications link 252 against the identical crypt_gensalt_rn function directly. 253 254Version 4.3.3 255* Add an alias for crypt_gensalt_r. 256 The function was available in older versions (v3.1.1 and earlier) 257 of libxcrypt. It has the same semantics and the same prototype as 258 the crypt_gensalt_rn function. 259 260Version 4.3.2 261* Fix the gensalt function for the NT hashing method ($3$) to 262 properly terminate its output string. The output buffer for the 263 returned string must be at least 30 bytes long. 264* Remove the gensalt function for the bcrypt x variant ($2x$). 265 This prefix was never intended for use when hashing new passphrases. 266 The only use case originally intended was to manually edit '$2a$' to 267 '$2x$' in passphrase hashes to knowingly take the risk yet enable 268 users to continue to log in when upgrading systems with buggy bcrypt 269 implementations to fixed versions. 270 271Version 4.3.1 272* Reduce the number of methods that can be the default for new hashes. 273 We don’t want to accidentally encourage use of gost-yescrypt, 274 scrypt, or the bug-compatibility bcrypt variants by people who do 275 not have a specific need for them. 276* sha256crypt ($5$) is not considered to be strong anymore. Thus 277 it was dropped from the STRONG and DEFAULT sets. 278* The four variants of bcrypt ($2b$, $2a$, $2y$, $2x$) are now 279 independently selectable at configure time. The $2x$ variant has 280 been dropped from the STRONG set, because it has a severe bug 281 causing it to be easy to find collisions for some passwords. The 282 $2x$ and $2y$ variants have been dropped from the FreeBSD, NetBSD, 283 OpenBSD, and Solaris compatibility sets, because those operating 284 systems never supported those variants. 285 286Version 4.3.0 287* Implement the gost-yescrypt ($gy$) hashing algorithm. 288* Remove all of the nonnull annotations, which are a questionable 289 optimization that have caused problems in the past and may cause 290 future problems on some systems. 291* Rename all hash methods to match naming in John the Ripper. 292* Make the configure switches --enable-obsolete-api and 293 --enable-hashes process their arguments case-insensitively; for 294 instance, "--enable-hashes=OpenBSD" and "--enable-hashes=openbsd" 295 are now understood as synonymous. 296* Fix gensalt for bigcrypt if descrypt hash method is not selected 297 at compile time. 298* Fix the bigcrypt hash method to reject too short settings and/or 299 descrypt hashes with a truncated phrase. Hashes with a setting 300 shorter than 13 characters and phrases shorter than 8 characters 301 are valid bigcrypt hashes, although they are identical with the 302 output generated by descrypt under the same conditions. 303 This only applies when the descrypt hash method is not selected 304 at compile time. 305* Implement crypt_checksalt, which can be used by portable users of 306 libxcrypt to check whether the desired hash method is supported. 307* Make a default prefix available whenever at least one strong hash 308 is enabled. 309* Fix the definition of 'CRYPT_GENSALT_IMPLEMENTS_DEFAULT_PREFIX' 310 to reflect whether the default prefix is available or not. 311 312Version 4.2.3 313* Add bootstrap script. If building from a Git checkout instead of a 314 tarball release, use './bootstrap' to create the configure script. 315* Use sha512 implementation from Colin Percival. Thus we now have a 316 sha512 implementation under the BSD license. 317* Use md5 implementation from Alexander Peslyak. Thus we now have a 318 md5 implementation in the public domain. 319* 'make dist' now generates bzip2 and xz compressed tarballs along 320 with the default gzip compressed tarball. 321* The group 'altlinux' has been renamed to 'alt' in --enable-hashes, 322 as the ALTLINUX distribution has been rebranded to ALT some time ago. 323* New tagged versions are automatically submitted for Coverity Scan: 324 https://scan.coverity.com/projects/besser82-libxcrypt 325 326Version 4.2.2 327* Convert existing manpages to BSD mdoc format. 328 329Version 4.2.1 330* Fix tests for yescrypt and scrypt, when failure-tokens have been 331 disabled. 332 333Version 4.2.0 334* Implement yescrypt ($y$) and scrypt ($7$) hashing algorithms. 335* For scrypt the implemented gensalt function ensures every new hash 336 is computed using at least 32 MiBytes of RAM. 337* yescrypt is the new default method used for new hashes. 338* --enable-hashes now supports additional groups of hashing methods: 339 'altlinux', 'owl', and 'suse', which select the methods historically 340 supported on those operating systems. 341* Added 'XCRYPT_VERSION_*' macros. 342 343Version 4.1.2 344* Add optional 'check-valgrind' target to the Makefile. 345* Replace crypt-sha{256,512}.c with an implementation in the Public 346 Domain. 347* Add alias man-pages for other crypt functions. 348* Add configure option --disable-failure-tokens, which causes crypt 349 and crypt_r to return NULL on failure, as crypt_rn and crypt_ra do, 350 instead of a special "failure token". Using this option improves 351 compatibility with programs written on the assumption that, like 352 most C library functions, crypt and crypt_r will return NULL on 353 failure; but it breaks compatibility with programs that assume these 354 functions never return NULL. We're not sure which type of program 355 is more common. Please let us know if you encounter either. 356* Improved handling of out-of-range cost parameters in gensalt. 357 The behavior is now: 358 - for hashes with a fixed cost parameter (DES/trad, DES/big, NTHASH, 359 MD5/bsd), crypt_gensalt only accepts 0 as the rounds argument. 360 - for hashes with a linear cost parameter (DES/bsdi, MD5/sun, SHA1, 361 SHA256, SHA512), crypt_gensalt accepts 0 or any value in the range 362 [1, ULONG_MAX] and clips it to the actual valid range for the hash 363 function, if necessary. In the case of DES/bsdi, even numbers 364 become odd, as well. 365 - for hashes with an exponential cost parameter (bcrypt), 366 crypt_gensalt only accepts 0 or a value in the actual valid range. 367 - the documented valid range for SHA1 is now [4, 4294967295] instead 368 of [1, 4294967295]. 369 - all of this is tested. 370 371Version 4.1.1 372* --enable-hashes now supports additional groups of hashing methods: 373 'freebsd', 'netbsd', 'openbsd', 'osx', and 'solaris', which select 374 the hashes historically supported on those operating systems. 375* Predictable behavior when arguments to crypt() are NULL or invalid 376 (issue #15). 377* Hash formats $5, $6, and $md5 once again allow an explicit rounds 378 parameter specifying the default number of rounds (issue #16). 379* The library no longer uses swapcontext(), for ease of debugging and 380 better compatibility with hardening mechanisms like Intel CET 381 (issue #18). 382* Can now be built with versions of GNU ld older than 2.26.2. 383* crypt_gensalt_ra no longer leaks memory on failure. 384 385Version 4.1.0 386* Fix spelling of SUSE. 387* Lower the minimum required automake version to 1.14. 388* Fix build with USE_SWAPCONTEXT turned off. 389* Extend --enable-weak-hashes configure option to accept optional 390 "glibc" parameter. When specified, it enables only those of 391 weak hashes that are supported by historic versions of the 392 GNU libc. 393* Fix the leak of obtained random bytes. 394* Check expected output strings for deterministic methods. 395* Fix memory leak in crypt_sha1crypt_rn. 396* Fix read of random bytes out of bounds in gensalt_sha1crypt_rn. 397* Make it possible to disable individual hashes at configure time. 398 The default is --enable-hashes=all. --enable-hashes=strong is the 399 equivalent of the old --disable-weak-hashes. You could even do 400 --enable-hashes=bcrypt,des to get a binary-compatible libcrypt.so.1 401 that still supports almost nothing other than bcrypt. 402* Make salt validation pickier. 403* Replace crypt-sunmd5.c with BSD-licensed cleanroom reimplementation. 404* Make crypt_gensalt for $sha1 deterministic. 405* Fix incorrect output-size computation in crypt_sha1crypt_rn. 406* Add docs for SHA1, MD5/Sun, NTHASH. 407* Introduce CRYPT_GENSALT_IMPLEMENTS_* feature test macros. 408* Install libcrypt.pc symlink along with libxcrypt.pc. 409* Extend --enable-obsolete-api configure option. 410 Make vendor specific parts of compatibility ABI that are enabled by 411 --enable-obsolete-api option configurable. 412 This allows vendors to enable only those parts of compatibility ABI 413 that are relevant to them. 414* Extend overall test coverage. 415 416Version 4.0.1 417* Fixes for GCC v8.x 418* Add symbol version for riscv64 419* Fixed an uninitialized value in test-crypt-badsalt 420 421Version 4.0.0 422* Full binary backward compatibility with glibc libcrypt; all programs 423 compiled with glibc libcrypt, including vendor-patched versions that 424 include the Openwall extensions, should work with this libcrypt 425 (however, programs compiled against this libcrypt will NOT work with 426 glibc libcrypt). 427* struct crypt_data is now only 32kB (from 128kB), and divided into a 428 public-API section and a properly opaque internal section. 429* New feature: supplying a null pointer as the "prefix" argument to 430 any of the crypt_gencrypt functions will cause it to select the best 431 available hash function (in this release, bcrypt in mode 'a'). 432 CAUTION: it must be a null pointer, not an empty string. If you 433 supply an empty string, that selects DES, which is the *worst* 434 available hash function. 435* New feature: supplying a null pointer as the "rbytes" argument to 436 any of the crypt_gencrypt functions will cause it to acquire random 437 bytes from the operating system. 438* The legacy functions bigcrypt, fcrypt, encrypt, encrypt_r, 439 setkey, and setkey_r are no longer available for use by new programs. 440 All of these (except fcrypt, which was just another name for crypt) 441 force the use of DES, which is no longer safe for any application. 442* New configure option --disable-obsolete-api removes the above 443 functions from the library. Since this breaks compatibility with 444 glibc's libcrypt, when this option is used the shared library will 445 be libcrypt.so.2 instead of libcrypt.so.1, and all of the 446 compatibility symbol versions for the crypt* functions will be 447 omitted. This option is the default on all operating systems where 448 there is no GNU C Library to be compatible with. 449* New configure option --disable-weak-hashes removes all support for 450 DES and MD5 hashes from the library. This option implies 451 --disable-obsolete-api, and will prevent DES and MD5 password hashes 452 from being *verified* -- accounts with such hashes are effectively 453 locked. It is intended for use in high-security new installations. 454* Sensitive intermediate data is now thoroughly scrubbed from the 455 stack and CPU registers before the crypt functions return to their 456 callers. 457* UFC-crypt has been replaced with FreeSec; this enables the reduction in 458 size of crypt_data, and adds full support for BSD extended DES hashes. 459* Extensive code cleanup and portability work. The static library 460 should now be buildable with any C99 compiler, although some 461 features may not be available (notably acquiring random bytes from 462 the operating system and scrubbing the stack). The shared library 463 does still require some GNU extensions for symbol versioning. 464* The configure options --enable-Wno-cast-align and --enable-bootstrap 465 are no longer necessary and have been removed. 466* If building from a Git checkout instead of a tarball release, use 467 'autoreconf -i' to create the configure script; autogen.sh has been 468 removed. 469* More thoroughly tested. 470 471Version 3.1.1 472* Add '--enable-Wno-cast-align' to silence 'cast increases required alignment' 473* Whitespace clean-up 474 475Version 3.1.0 476* Update upstream-contact 477* Add './configure --enable-bootstrap' to skip some tests on initial build 478* Add bootstrap-script for Autotools 479* Add LICENSE for bcrypt 480* Update crypt_blowfish to v1.3 481* Add '-Wextra' to CFLAGS 482* Fix warnings generated by gcc 5.1.1 483* Update Autotools 484 485Version 3.0.4 486* Fix warnings generated by gcc 4.6 487 488Version 3.0.3 489* Fix memory leak 490* Fix compiler warnings 491 492Version 3.0.2 493* Fix generating salts for MD5 494 495Version 3.0.1 496* Fix build failures 497 498Version 3.0 499* Add sha256 and sha512 hashes 500* Move all hashes into plugins 501 502Version 2.4 503* Sync with crypt_blowfish 1.0 504 505Version 2.3 506* Fix problems with gcc > 4.0 507 508Version 2.2 509* Fix realloc call in md5-crypt 510 511Version 2.1 512* Enable x86.S for i386 again 513 514Version 2.0 515* Rename all crypt* functions to xcrypt* to avoid clash with normal 516 libcrypt from glibc 517 518Version 1.4 519* Fix compiling with glibc > 2.3.1 520* Sync with crypt_blowfish 0.4.5 521 522Version 1.3 523* Sync with current glibc CVS (fix for not correct initialication of 524 internal data structs) 525 526Version 1.2 527* Fix building with glibc 2.3.x 528* Add support for HPPA 529 530Version 1.1 531* merge md5.h with xcrypt.h 532* Add SHA1 functions and crypt 533 534Version 1.0 535* First release 536