libxcrypt: Build only with strong hashes (4e300e07) · Commits · nix / nixpkgs

nixos/doc/manual/release-notes/rl-2305.section.md

+2 −0

Original line number	Diff line number	Diff line
		@@ -18,6 +18,8 @@ In addition to numerous new and upgraded packages, this release has the followin

		- `nixos-rebuild` now supports an extra `--specialisation` option that can be used to change specialisation for `switch` and `test` commands.

		- `libxcrypt`, the library providing the `crypt(3)` password hashing function, is now built without support for algorithms not flagged [`strong`](https://github.com/besser82/libxcrypt/blob/v4.4.33/lib/hashes.conf#L48). This affects the availability of password hashing algorithms used for system login (`login(1)`, `passwd(1)`), but also Apache2 Basic-Auth, Samba, OpenLDAP, and [many other packages](https://github.com/search?q=repo%3ANixOS%2Fnixpkgs%20libxcrypt&type=code).

		## New Services {#sec-release-23.05-new-services}

		<!-- To avoid merge conflicts, consider adding your item at an arbitrary place in the list instead. -->

+16 −3

Original line number	Diff line number	Diff line
		@@ -15,7 +15,8 @@ stdenv.mkDerivation rec {
		];

		configureFlags = [
		"--enable-hashes=all"
		# Update the enabled crypt scheme ids in passthru when the enabled hashes change
		"--enable-hashes=strong"
		"--enable-obsolete-api=glibc"
		"--disable-failure-tokens"
		] ++ lib.optionals (stdenv.hostPlatform.isMusl \|\| stdenv.hostPlatform.libc == "bionic") [
		@@ -30,9 +31,21 @@ stdenv.mkDerivation rec {

		doCheck = true;

		passthru.tests = {
		passthru = {
		tests = {
		inherit (nixosTests) login shadow;
		};
		enabledCryptSchemeIds = [
		# https://github.com/besser82/libxcrypt/blob/v4.4.33/lib/hashes.conf
		"y" # yescrypt
		"gy" # gost_yescrypt
		"7" # scrypt
		"2b" # bcrypt
		"2y" # bcrypt_y
		"2a" # bcrypt_a
		"6" # sha512crypt
		];
		};

		meta = with lib; {
		description = "Extended crypt library for descrypt, md5crypt, bcrypt, and others";