[patch]: document SHA-2 support in glibc crypt()

Leonid Evdokimov leon at darkk.net.ru
Mon Oct 9 20:18:47 UTC 2017

On Mon, Oct 09, 2017 at 10:44:11PM +0300, Maxim Dounin wrote:
> All crypt() schemes available on a particular OS are supported, and
> this is what is written in the above paragraph.

I added that note to provide disambiguation that actual libc crypt() is
used, I was under assumption that some only "plain old crypt()" is
actually supported (like DES one) as the example does not refer to
system crypt(), but refers to openssl and htpasswd. I was unaware of
platform crypt() call till I have actually looked at the source code :)

> It is not clear why to document $5$ and $6$ explicitly.

That's just an example. These two are documented in crypt(3) manpage:
MD5-based $1$ is already documented and $2a$ is not available in
"default" build of glibc.

> (Also, it might not be a good idea to actually use $5$ and especially
> $6$ crypt schemes for web authentication, as crypt() is needed for
> each request, and these schemes are quite CPU intensive.)

Yep, that's true, that's 5000 rounds of SHA-2 and that's ~2..3ms of CPU
time per request.

WBRBW, Leonid Evdokimov, xmpp:leon at darkk.net.ru http://darkk.net.ru tel:+79816800702
PGP: 6691 DE6B 4CCD C1C1 76A0  0D4A E1F2 A980 7F50 FAB2
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 819 bytes
Desc: not available
URL: <http://mailman.nginx.org/pipermail/nginx-devel/attachments/20171009/1ae3af45/attachment.bin>

More information about the nginx-devel mailing list