crypt_blowfish is a modern password hashing for your software and your servers.
This is an implementation of a modern password hashing algorithm, based on the Blowfish block cipher, provided via the crypt(3) and a reentrant interface. It is compatible with bcrypt (version 2a) by Niels Provos and David Mazieres, as used in OpenBSD.
The most important property of bcrypt (and thus crypt_blowfish) is that it is adaptable to future processor performance improvements, allowing you to arbitrarily increase the processing cost of checking a password while still maintaining compatibility with your older password hashes. Already now bcrypt hashes you would use are several orders of magnitude stronger than traditional Unix DES-based or FreeBSD-style MD5-based hashes.
Today, a number of other operating systems, besides OpenBSD, support bcrypt password hashes, with Niels' original implementation, with this implementation (crypt_blowfish), or otherwise. These systems include recent versions of FreeBSD and NetBSD, Solaris 10, and indeed the Linux distributions which have integrated crypt_blowfish (see below for a list). Only some of these systems use bcrypt for newly set passwords by default, though.
This code comes from John the Ripper password cracker, and is placed in the public domain to let you use this on your system, as a part of a software package, or anywhere else to improve security, ensure compatibility, or for any other purpose.
There's no license to worry about, not even a BSD-style copyright.
You can use the provided routines in your own packages or link them into a C library. Hooks for linking into GNU libc are provided. Note that simply adding this code into your libc is probably not enough to make your system use the new password hashing algorithm. Changes to passwd(1), PAM modules, or whatever else your system uses will likely be needed as well. These are not a part of this package, but there's pam_tcb in the Openwall GNU/*/Linux (Owl) tcb package which uses the password hashing framework provided by crypt_blowfish, and there are the Owl shadow suite patches (in particular, the crypt_gensalt patch) available from our CVSweb server.
What's New in This Release: [ read full changelog ]
· Support for the "$2y%CONTENT%amp;quot; prefix (denoting correctly computed hashes) has been added.
· A countermeasure to avoid one-correct to many-buggy collisions with the "$2a%CONTENT%amp;quot; prefix has been added (which is desirable when upgrading systems with existing "$2a%CONTENT%amp;quot; hashes computed using pre-1.1 versions of crypt_blowfish).
· The "make check" tests and the runtime quick self-test have been improved.
· A patch for glibc 2.13 and 2.14 has been added.
· The documentation has been updated.