{"id":56,"date":"2009-09-07T16:51:24","date_gmt":"2009-09-07T14:51:24","guid":{"rendered":"http:\/\/log.or.cz\/?p=56"},"modified":"2009-09-08T12:06:01","modified_gmt":"2009-09-08T10:06:01","slug":"make-your-glibc-do-blowfish","status":"publish","type":"post","link":"https:\/\/log.or.cz\/?p=56","title":{"rendered":"Make your glibc do Blowfish"},"content":{"rendered":"<p>Since long long ago, SUSE glibc supports blowfish crypt() extension &#8211; just start your crypts with <code>$2a$<\/code> etc. and crypt() will fry them using Blowfish. We base this functionality on a rather ancient <a href=\"http:\/\/www.openwall.com\/crypt\/\">OWL patch<\/a>. I wonder if anyone actually makes use of this feature. ;-)<\/p>\n<p>The trouble is, the OWL patch is pretty dirty and introduces its own wrapper crypt() that proxies between glibc&#8217;s MD5\/DES crypt() and its Blowfish backend. And it has a lot of extra functionality noone cannot use since the appropriate symbols aren&#8217;t actually exported anymore. The patch is based on glibc-2.3.x, I assume back then exporting them worked differently.<\/p>\n<p>However, <a href=\"http:\/\/people.redhat.com\/drepper\/sha-crypt.html\">glibc-2.7 got support for SHA256\/SHA512<\/a> and with it more flexible crypt() implementation, making it quite easy to plug in more crypt() methods. The trouble is, we didn&#8217;t upgrade our Blowfish patch, so SHA256\/SHA512 was actually blocked-out by the wrapper. <a href=\"https:\/\/bugzilla.novell.com\/show_bug.cgi?id=529495\">Jan Engelhardt pointed out the problem<\/a>, so I reworked the original OWL patch to take advantage of the new infrastructure (but keeping <code>crypt_blowfish.c<\/code> intact up to turning off <code>BF_ASM<\/code>).<\/p>\n<p>So, if you want to teach your glibc Blowfish hashing, feel free to use <a href=\"http:\/\/pasky.or.cz\/~pasky\/dev\/glibc\/crypt_blowfish-1.0-suse.diff\">http:\/\/pasky.or.cz\/~pasky\/dev\/glibc\/crypt_blowfish-1.0-suse.diff<\/a> :-)<\/p>\n<p><b>Update:<\/b> <a href=\"http:\/\/git.altlinux.org\/people\/ldv\/packages\/?p=glibc.git;a=commit;h=65e27bdd2b91f4d7d3d8cc156f8827b9fb336f42\">Dmitry V. Levin ported the complete old patch to glibc-2.10.1.<\/a> I will not make use of this for SUSE since I think wrapper.c is rather ugly hack which is not properly integrated to the infrastructure, and it retains potential for future maintenance problems; I don&#8217;t see why shouldn&#8217;t the new API rather integrate into the existing code instead of wrapping around it. The new API is required for <a href=\"http:\/\/www.openwall.com\/tcb\/\">tcb<\/a> but there is no other support for it in SUSE anyway (and noone missed the API for many, many years).<\/p>\n","protected":false},"excerpt":{"rendered":"<p>Since long long ago, SUSE glibc supports blowfish crypt() extension &#8211; just start your crypts with $2a$ etc. and crypt() will fry them using Blowfish. We base this functionality on a rather ancient OWL patch. I wonder if anyone actually makes use of this feature. ;-) The trouble is, the OWL patch is pretty dirty [&hellip;]<\/p>\n","protected":false},"author":2,"featured_media":0,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[3,6],"tags":[33,14,34,35,15],"class_list":["post-56","post","type-post","status-publish","format-standard","hentry","category-linux","category-software","tag-blowfish","tag-glibc","tag-owl","tag-patch","tag-suse"],"_links":{"self":[{"href":"https:\/\/log.or.cz\/index.php?rest_route=\/wp\/v2\/posts\/56","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/log.or.cz\/index.php?rest_route=\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/log.or.cz\/index.php?rest_route=\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/log.or.cz\/index.php?rest_route=\/wp\/v2\/users\/2"}],"replies":[{"embeddable":true,"href":"https:\/\/log.or.cz\/index.php?rest_route=%2Fwp%2Fv2%2Fcomments&post=56"}],"version-history":[{"count":5,"href":"https:\/\/log.or.cz\/index.php?rest_route=\/wp\/v2\/posts\/56\/revisions"}],"predecessor-version":[{"id":61,"href":"https:\/\/log.or.cz\/index.php?rest_route=\/wp\/v2\/posts\/56\/revisions\/61"}],"wp:attachment":[{"href":"https:\/\/log.or.cz\/index.php?rest_route=%2Fwp%2Fv2%2Fmedia&parent=56"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/log.or.cz\/index.php?rest_route=%2Fwp%2Fv2%2Fcategories&post=56"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/log.or.cz\/index.php?rest_route=%2Fwp%2Fv2%2Ftags&post=56"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}