libxcrypt: Build only with strong hashes

Effectively removes support for the following hashing algorithms as announced in the NixOS 22.11 release notes: - bcrypt_x ($2x$) - sha256crypt ($5$) - sha1crypt ($sha1$) - sunmd5 ($md5$) - md5crypt ($1$) - nt ($3$) - bdiscrypt (_) - bigcrypt (:) - descrypt (:) And exposes the crypt scheme ids for enabled algorithms, so they can be reused for validation in the users-groups module.
2024-11-01 23:22:37 +00:00 · 2023-03-10 19:25:45 +01:00 · 2023-03-10 19:25:45 +01:00 · 4e300e071b
commit 4e300e071b
parent d97017184f
2 changed files with 18 additions and 3 deletions
--- a/nixos/doc/manual/release-notes/rl-2305.section.md
+++ b/nixos/doc/manual/release-notes/rl-2305.section.md
@ -18,6 +18,8 @@ In addition to numerous new and upgraded packages, this release has the followin

 - `nixos-rebuild` now supports an extra `--specialisation` option that can be used to change specialisation for `switch` and `test` commands.

+- `libxcrypt`, the library providing the `crypt(3)` password hashing function, is now built without support for algorithms not flagged [`strong`](https://github.com/besser82/libxcrypt/blob/v4.4.33/lib/hashes.conf#L48). This affects the availability of password hashing algorithms used for system login (`login(1)`, `passwd(1)`), but also Apache2 Basic-Auth, Samba, OpenLDAP, and [many other packages](https://github.com/search?q=repo%3ANixOS%2Fnixpkgs%20libxcrypt&type=code).
+
 ## New Services {#sec-release-23.05-new-services}

 <!-- To avoid merge conflicts, consider adding your item at an arbitrary place in the list instead. -->
--- a/pkgs/development/libraries/libxcrypt/default.nix
+++ b/pkgs/development/libraries/libxcrypt/default.nix
@ -15,7 +15,8 @@ stdenv.mkDerivation rec {
  ];

  configureFlags = [
-    "--enable-hashes=all"
+    # Update the enabled crypt scheme ids in passthru when the enabled hashes change
+    "--enable-hashes=strong"
    "--enable-obsolete-api=glibc"
    "--disable-failure-tokens"
  ] ++ lib.optionals (stdenv.hostPlatform.isMusl || stdenv.hostPlatform.libc == "bionic") [
@ -30,8 +31,20 @@ stdenv.mkDerivation rec {

  doCheck = true;

-  passthru.tests = {
-    inherit (nixosTests) login shadow;
+  passthru = {
+    tests = {
+      inherit (nixosTests) login shadow;
+    };
+    enabledCryptSchemeIds = [
+      # https://github.com/besser82/libxcrypt/blob/v4.4.33/lib/hashes.conf
+      "y"   # yescrypt
+      "gy"  # gost_yescrypt
+      "7"   # scrypt
+      "2b"  # bcrypt
+      "2y"  # bcrypt_y
+      "2a"  # bcrypt_a
+      "6"   # sha512crypt
+    ];
  };

  meta = with lib; {