mailarchive of the ptxdist mailing list
 help / color / mirror / Atom feed
From: "Björn Esser" <b.esser@pengutronix.de>
To: ptxdist@pengutronix.de
Cc: "Björn Esser" <bes@pengutronix.de>
Subject: [ptxdist] [PATCH v2] libxcrypt: new package
Date: Wed, 18 Sep 2019 10:41:09 +0200	[thread overview]
Message-ID: <20190918084108.27289-1-b.esser@pengutronix.de> (raw)
In-Reply-To: <619b924ad3e2a0965ef23b2ced9ad3d7f44400a3.camel@diehl.com>

From: Björn Esser <bes@pengutronix.de>

Also implement the needed logic to (optionally) replace
the libcrypt from the selected libc with libxcrypt.

libxcrypt is a modern library for one-way hashing of passwords.
It supports a wide variety of both modern and historical hashing
methods: yescrypt, gost-yescrypt, scrypt, bcrypt, sha512crypt,
sha256crypt, md5crypt, SunMD5, sha1crypt, NT, bsdicrypt, bigcrypt,
and descrypt. It provides the traditional Unix crypt and crypt_r
interfaces, as well as a set of extended interfaces pioneered by
Openwall Linux, crypt_rn, crypt_ra, crypt_gensalt, crypt_gensalt_rn,
and crypt_gensalt_ra.

libxcrypt is intended to be used by login(1), passwd(1), and other
similar programs; that is, to hash a small number of passwords
during an interactive authentication dialogue with a human.  It is
not suitable for use in bulk password-cracking applications, or in
any other situation where speed is more important than careful
handling of sensitive data.  However, it is intended to be fast and
lightweight enough for use in servers that must field thousands of
login attempts per minute.

Signed-off-by: Björn Esser <bes@pengutronix.de>
---
 rules/libcrypt.in    |  38 +++++++++++++++
 rules/libcrypt.make  |  16 ++++++
 rules/libxcrypt.in   | 114 +++++++++++++++++++++++++++++++++++++++++++
 rules/libxcrypt.make |  96 ++++++++++++++++++++++++++++++++++++
 4 files changed, 264 insertions(+)
 create mode 100644 rules/libcrypt.in
 create mode 100644 rules/libcrypt.make
 create mode 100644 rules/libxcrypt.in
 create mode 100644 rules/libxcrypt.make

diff --git a/rules/libcrypt.in b/rules/libcrypt.in
new file mode 100644
index 000000000..be9642da0
--- /dev/null
+++ b/rules/libcrypt.in
@@ -0,0 +1,38 @@
+## SECTION=core
+
+menuconfig LIBC_CRYPT
+	bool
+	prompt "POSIX crypt implementation    "
+	select LIBXCRYPT	if !NATIVE_CRYPT
+	select INTERNAL_CRYPT	if NATIVE_CRYPT
+
+if LIBC_CRYPT
+
+choice
+	prompt "POSIX crypt implementation    "
+	default NATIVE_CRYPT
+
+	config NATIVE_CRYPT
+		bool
+		prompt "libc internal"
+		help
+		  This menu entry selects the basic libcrypt provided
+		  by the selected libc implementation of the system.
+
+	config EXTENDED_CRYPT
+		bool
+		prompt "libxcrypt    "
+		help
+		  This menu entry selects the extended libcrypt
+		  implementation provided by the libxcrypt package.
+
+		  Please see "System Libraries" for the configuration
+		  options of libxcrypt.
+endchoice
+
+config INTERNAL_CRYPT
+	bool
+	select GLIBC_CRYPT	if LIBC_GLIBC
+	select UCLIBC_CRYPT	if LIBC_UCLIBC
+
+endif
diff --git a/rules/libcrypt.make b/rules/libcrypt.make
new file mode 100644
index 000000000..0cc526de4
--- /dev/null
+++ b/rules/libcrypt.make
@@ -0,0 +1,16 @@
+# -*-makefile-*-
+#
+# Copyright (C) 2019 by Bjoern Esser <bes@pengutronix.de>
+#
+# For further information about the PTXdist project and license conditions
+# see the README file.
+#
+
+#
+# We provide this package
+#
+PACKAGES-$(PTXCONF_LIBCRYPT) += libcrypt
+
+LIBCRYPT_LICENSE:= ignore
+
+# vim: syntax=make
diff --git a/rules/libxcrypt.in b/rules/libxcrypt.in
new file mode 100644
index 000000000..1db488941
--- /dev/null
+++ b/rules/libxcrypt.in
@@ -0,0 +1,114 @@
+## SECTION=system_libraries
+
+menuconfig LIBXCRYPT
+	bool
+	prompt "libxcrypt                     "
+	depends on !NATIVE_CRYPT
+	help
+	  Extended crypt library for descrypt, md5crypt, bcrypt, and others.
+
+	  libxcrypt is a modern library for one-way hashing of passwords.
+	  It supports a wide variety of both modern and historical hashing
+	  methods: yescrypt, gost-yescrypt, scrypt, bcrypt, sha512crypt,
+	  sha256crypt, md5crypt, SunMD5, sha1crypt, NT, bsdicrypt, bigcrypt,
+	  and descrypt.  It provides the traditional Unix crypt and crypt_r
+	  interfaces, as well as a set of extended interfaces pioneered by
+	  Openwall Linux, crypt_rn, crypt_ra, crypt_gensalt,
+	  crypt_gensalt_rn, and crypt_gensalt_ra.
+
+	  libxcrypt is intended to be used by login(1), passwd(1), and other
+	  similar programs; that is, to hash a small number of passwords
+	  during an interactive authentication dialogue with a human.  It is
+	  not suitable for use in bulk password-cracking applications, or in
+	  any other situation where speed is more important than careful
+	  handling of sensitive data.  However, it is intended to be fast and
+	  lightweight enough for use in servers that must field thousands of
+	  login attempts per minute.
+
+if LIBXCRYPT
+
+config LIBXCRYPT_GLIBC_BINARY_COMPAT
+	bool
+	prompt "Enable full glibc binary compatibility"
+	help
+	  When enabled, this option includes the interfaces for full binary
+	  compatibility with glibc.
+
+	  This setting only affects existing binaries; new programs cannot
+	  be linked against them.
+
+if LIBXCRYPT_GLIBC_BINARY_COMPAT
+
+config LIBXCRYPT_OBSOLETE_STUBS
+	bool
+	prompt "Replace obsolete functions with non-functional stubs"
+	help
+	  If enabled, this option replaces the obsolete APIs (fcrypt,
+	  encrypt{,_r}, and setkey{,_r}) with stubs that set errno to
+	  ENOSYS and return without performing any real operations.
+
+	  For security reasons, the encrypt{,r} functions will also
+	  overwrite their data-block argument with random bits.
+
+	  The fcrypt function will also always return NULL-pointer.
+
+endif
+
+config LIBXCRYPT_BCRYPT_X
+	bool
+	prompt "Support for verifying weak bcrypt ($2x$) hashes"
+	help
+	  The alternative prefix "$2x$" provides bug-compatibility with
+	  crypt_blowfish 1.0.4 and earlier, which incorrectly processed
+	  characters with the 8th bit set.
+
+config LIBXCRYPT_SHA1CRYPT
+	bool
+	prompt "sha1crypt ($sha1) hashing method"
+	help
+	  A hash based on HMAC-SHA1.  Originally developed for NetBSD.
+
+	  Enable this for compatibility with passphrases that have been
+	  hashed on NetBSD.
+
+config LIBXCRYPT_SUNMD5
+	bool
+	prompt "SunMD5 ($md5) hashing method"
+	help
+	  A hash based on the MD5 algorithm, with additional cleverness
+	  to make precomputation difficult.
+
+	  Enable this for full compatibility with passphrases that have
+	  been hashed on Solaris.
+
+config LIBXCRYPT_NTHASH
+	bool
+	prompt "NTHASH ($3$) hashing method"
+	help
+	  The hashing method used for network authentication in some
+	  versions of the SMB/CIFS protocol.
+
+	  Available, for cross-compatibility's sake, on FreeBSD.
+
+config LIBXCRYPT_BSDICRYPT
+	bool
+	prompt "bsdicrypt ($2x$) hashing method"
+	help
+	  A weak extension of traditional DES, which eliminates the
+	  length limit, increases the salt size, and makes the time
+	  cost tunable.
+
+	  It originates with BSDI and is also available on at least
+	  NetBSD, OpenBSD, FreeBSD, and MacOSX.
+
+config LIBXCRYPT_BIGCRYPT
+	bool
+	prompt "bigcrypt hashing method"
+	help
+	  A weak extension of traditional DES, available on some
+	  System V-derived Unixes.  All it does is raise the length
+	  limit from 8 to 128 characters, and it does this in a crude
+	  way that allows attackers to guess chunks of a long passphrase
+	  in parallel.
+
+endif
diff --git a/rules/libxcrypt.make b/rules/libxcrypt.make
new file mode 100644
index 000000000..df5d25b1d
--- /dev/null
+++ b/rules/libxcrypt.make
@@ -0,0 +1,96 @@
+# -*-makefile-*-
+#
+# Copyright (C) 2019 by Bjoern Esser <bes@pengutronix.de>
+#
+# For further information about the PTXdist project and license conditions
+# see the README file.
+#
+
+#
+# We provide this package
+#
+PACKAGES-$(PTXCONF_LIBXCRYPT) += libxcrypt
+
+#
+# Paths and names
+#
+LIBXCRYPT_VERSION	:= 4.4.9
+LIBXCRYPT_MD5		:= 7c2d5206dfb6a72ed464eee812a58fcf
+LIBXCRYPT		:= libxcrypt-$(LIBXCRYPT_VERSION)
+LIBXCRYPT_SUFFIX	:= tar.gz
+LIBXCRYPT_URL		:= https://github.com/besser82/libxcrypt/archive/v$(LIBXCRYPT_VERSION).$(LIBXCRYPT_SUFFIX)
+LIBXCRYPT_SOURCE	:= $(SRCDIR)/$(LIBXCRYPT).$(LIBXCRYPT_SUFFIX)
+LIBXCRYPT_DIR		:= $(BUILDDIR)/$(LIBXCRYPT)
+LIBXCRYPT_LICENSE	:= LGPL-2.1-or-later AND BSD-3-Clause AND BSD-2-Clause AND 0BSD AND public_domain
+LIBXCRYPT_LICENSE_MD5	:= file://LICENSING;md5=3bb6614cf5880cbf1b9dbd9e3d145e2c
+
+# ----------------------------------------------------------------------------
+# Prepare
+# ----------------------------------------------------------------------------
+
+#
+# options
+#
+
+# Hash methods enabled by default.
+HASH_METHODS := glibc,strong
+
+ifdef PTXCONF_LIBXCRYPT_BCRYPT_X
+HASH_METHODS := $(HASH_METHODS),bcrypt_x
+endif
+
+ifdef PTXCONF_LIBXCRYPT_SHA1CRYPT
+HASH_METHODS := $(HASH_METHODS),sha1crypt
+endif
+
+ifdef PTXCONF_LIBXCRYPT_SUNMD5
+HASH_METHODS := $(HASH_METHODS),sunmd5
+endif
+
+ifdef PTXCONF_LIBXCRYPT_NTHASH
+HASH_METHODS := $(HASH_METHODS),nt
+endif
+
+ifdef PTXCONF_LIBXCRYPT_BSDICRYPT
+HASH_METHODS := $(HASH_METHODS),bdsicrypt
+endif
+
+ifdef PTXCONF_LIBXCRYPT_BIGCRYPT
+HASH_METHODS := $(HASH_METHODS),bigcrypt
+endif
+
+#
+# autoconf
+#
+LIBXCRYPT_CONF_TOOL	:= autoconf
+LIBXCRYPT_CONF_OPT	:= \
+	$(CROSS_AUTOCONF_USR) \
+	--disable-failure-tokens \
+	--disable-static \
+	--disable-valgrind \
+	--enable-obsolete-api=$(call ptx/ifdef,PTXCONF_LIBXCRYPT_GLIBC_BINARY_COMPAT,glibc,no) \
+	--enable-obsolete-api-enosys=$(call ptx/ifdef,PTXCONF_LIBXCRYPT_OBSOLETE_STUBS,yes,no) \
+	--enable-hashes=$(HASH_METHODS) \
+	--enable-xcrypt-compat-files
+
+# ----------------------------------------------------------------------------
+# Target-Install
+# ----------------------------------------------------------------------------
+
+$(STATEDIR)/libxcrypt.targetinstall:
+	@$(call targetinfo)
+
+	@$(call install_init, libxcrypt)
+	@$(call install_fixup, libxcrypt,PRIORITY,optional)
+	@$(call install_fixup, libxcrypt,SECTION,base)
+	@$(call install_fixup, libxcrypt,AUTHOR,"Bjoern Esser <bes@pengutronix.de>")
+	@$(call install_fixup, libxcrypt,DESCRIPTION,Extended crypt library for descrypt$(comma) \
+						     md5crypt$(comma) bcrypt$(comma) and others.)
+
+	@$(call install_lib, libxcrypt, 0, 0, 0644, libcrypt)
+
+	@$(call install_finish, libxcrypt)
+
+	@$(call touch)
+
+# vim: syntax=make
-- 
2.23.0


_______________________________________________
ptxdist mailing list
ptxdist@pengutronix.de

  reply	other threads:[~2019-09-18  8:41 UTC|newest]

Thread overview: 20+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2019-09-16 12:57 [ptxdist] [PATCH] " Björn Esser
2019-09-18  5:41 ` Denis OSTERLAND
2019-09-18  8:41   ` Björn Esser [this message]
2019-09-18  9:57   ` [ptxdist] [PATCH v3] " Björn Esser
2019-09-18 10:06     ` Ahmad Fatoum
2019-09-18 10:34       ` Björn Esser
2019-09-23 10:07         ` [ptxdist] [PATCH v4] " Björn Esser
2019-09-23 10:12           ` Lucas Stach
2019-09-23 10:42             ` Björn Esser
2022-05-04 16:58           ` [ptxdist] [PATCH v5] " Andreas Helmcke
2022-05-05  7:27             ` Alexander Dahl
2022-05-05 12:46               ` [ptxdist] [PATCH v6] " Andreas Helmcke
2022-05-06  8:49                 ` Michael Olbrich
2022-05-06 11:27                   ` [ptxdist] [PATCH v7] " Andreas Helmcke
2022-05-06 11:41                     ` Michael Olbrich
2022-05-07 20:44                       ` [ptxdist] [PATCH v8] " Andreas Helmcke
2023-10-16 17:01                         ` [ptxdist] [PATCH v9] " Andreas Helmcke
2023-11-10  7:25                           ` [ptxdist] [APPLIED] " Michael Olbrich
2023-11-10  7:32                           ` [ptxdist] [PATCH v9] " Michael Olbrich
2022-05-06 11:53                     ` [ptxdist] [PATCH v7] " Alexander Dahl

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=20190918084108.27289-1-b.esser@pengutronix.de \
    --to=b.esser@pengutronix.de \
    --cc=bes@pengutronix.de \
    --cc=ptxdist@pengutronix.de \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox