[patch]: document SHA-2 support in glibc crypt()

[Maxim Dounin]

Hello!

On Mon, Oct 09, 2017 at 11:18:47PM +0300, Leonid Evdokimov wrote:

> On Mon, Oct 09, 2017 at 10:44:11PM +0300, Maxim Dounin wrote:
> > All crypt() schemes available on a particular OS are supported, and
> > this is what is written in the above paragraph.
> 
> I added that note to provide disambiguation that actual libc crypt() is
> used, I was under assumption that some only "plain old crypt()" is
> actually supported (like DES one) as the example does not refer to
> system crypt(), but refers to openssl and htpasswd. I was unaware of
> platform crypt() call till I have actually looked at the source code :)

The paragraph in question is expected to say that nginx uses the 
crypt() function as provided by system libraries.  If it is not 
clear, we can consider improving the wording, and/or providing 
examples on how to use the tools mentioned to generate various 
types of passwords understood by crypt().  In particular, openssl 
by default generates traditional crypt() hashes, and can be used 
to generate $1$ hashes with the "-1" switch:

$ openssl passwd foo
GLJoKLSDZtEYU
$ openssl passwd -1 foo
$1$k8V9xFsq$y6xcPzRK5YW1QubxEm9kL1

(Not-yet-released openssl 1.1.1 also supports "-5" and "-6", though 
I would rather refrain from providing relevant examples.)

> > It is not clear why to document $5$ and $6$ explicitly.
> 
> That's just an example. These two are documented in crypt(3) manpage:
> MD5-based $1$ is already documented and $2a$ is not available in
> "default" build of glibc.

It is not clear what you mean by saying "MD5-based $1$ is already 
documented".  In nginx documentation there is nothing about $1$.  
There is a paragraph about $apr1$, Apache variant of $1$, which is 
similar, but is not crypt()-based - instead, it is explicitly 
implemented as a platform-independent solution which is available 
on all platforms including Windows.  And this is why it is 
documented explicitly.

-- 
Maxim Dounin
http://nginx.org/