[ptxdist] [PATCH v2] libxcrypt: new package

["Björn Esser" <b.esser@pengutronix.de>]

From: Björn Esser <bes@pengutronix.de>

Also implement the needed logic to (optionally) replace
the libcrypt from the selected libc with libxcrypt.

libxcrypt is a modern library for one-way hashing of passwords.
It supports a wide variety of both modern and historical hashing
methods: yescrypt, gost-yescrypt, scrypt, bcrypt, sha512crypt,
sha256crypt, md5crypt, SunMD5, sha1crypt, NT, bsdicrypt, bigcrypt,
and descrypt. It provides the traditional Unix crypt and crypt_r
interfaces, as well as a set of extended interfaces pioneered by
Openwall Linux, crypt_rn, crypt_ra, crypt_gensalt, crypt_gensalt_rn,
and crypt_gensalt_ra.

libxcrypt is intended to be used by login(1), passwd(1), and other
similar programs; that is, to hash a small number of passwords
during an interactive authentication dialogue with a human.  It is
not suitable for use in bulk password-cracking applications, or in
any other situation where speed is more important than careful
handling of sensitive data.  However, it is intended to be fast and
lightweight enough for use in servers that must field thousands of
login attempts per minute.

Signed-off-by: Björn Esser <bes@pengutronix.de>
---
 rules/libcrypt.in    |  38 +++++++++++++++
 rules/libcrypt.make  |  16 ++++++
 rules/libxcrypt.in   | 114 +++++++++++++++++++++++++++++++++++++++++++
 rules/libxcrypt.make |  96 ++++++++++++++++++++++++++++++++++++
 4 files changed, 264 insertions(+)
 create mode 100644 rules/libcrypt.in
 create mode 100644 rules/libcrypt.make
 create mode 100644 rules/libxcrypt.in
 create mode 100644 rules/libxcrypt.make

diff --git a/rules/libcrypt.in b/rules/libcrypt.in
new file mode 100644
index 000000000..be9642da0
--- /dev/null
+++ b/rules/libcrypt.in
@@ -0,0 +1,38 @@
+## SECTION=core
+
+menuconfig LIBC_CRYPT
+	bool
+	prompt "POSIX crypt implementation    "
+	select LIBXCRYPT	if !NATIVE_CRYPT
+	select INTERNAL_CRYPT	if NATIVE_CRYPT
+
+if LIBC_CRYPT
+
+choice
+	prompt "POSIX crypt implementation    "
+	default NATIVE_CRYPT
+
+	config NATIVE_CRYPT
+		bool
+		prompt "libc internal"
+		help
+		  This menu entry selects the basic libcrypt provided
+		  by the selected libc implementation of the system.
+
+	config EXTENDED_CRYPT
+		bool
+		prompt "libxcrypt    "
+		help
+		  This menu entry selects the extended libcrypt
+		  implementation provided by the libxcrypt package.
+
+		  Please see "System Libraries" for the configuration
+		  options of libxcrypt.
+endchoice
+
+config INTERNAL_CRYPT
+	bool
+	select GLIBC_CRYPT	if LIBC_GLIBC
+	select UCLIBC_CRYPT	if LIBC_UCLIBC
+
+endif
diff --git a/rules/libcrypt.make b/rules/libcrypt.make
new file mode 100644
index 000000000..0cc526de4
--- /dev/null
+++ b/rules/libcrypt.make
@@ -0,0 +1,16 @@
+# -*-makefile-*-
+#
+# Copyright (C) 2019 by Bjoern Esser <bes@pengutronix.de>
+#
+# For further information about the PTXdist project and license conditions
+# see the README file.
+#
+
+#
+# We provide this package
+#
+PACKAGES-$(PTXCONF_LIBCRYPT) += libcrypt
+
+LIBCRYPT_LICENSE:= ignore
+
+# vim: syntax=make
diff --git a/rules/libxcrypt.in b/rules/libxcrypt.in
new file mode 100644
index 000000000..1db488941
--- /dev/null
+++ b/rules/libxcrypt.in
@@ -0,0 +1,114 @@
+## SECTION=system_libraries
+
+menuconfig LIBXCRYPT
+	bool
+	prompt "libxcrypt                     "
+	depends on !NATIVE_CRYPT
+	help
+	  Extended crypt library for descrypt, md5crypt, bcrypt, and others.
+
+	  libxcrypt is a modern library for one-way hashing of passwords.
+	  It supports a wide variety of both modern and historical hashing
+	  methods: yescrypt, gost-yescrypt, scrypt, bcrypt, sha512crypt,
+	  sha256crypt, md5crypt, SunMD5, sha1crypt, NT, bsdicrypt, bigcrypt,
+	  and descrypt.  It provides the traditional Unix crypt and crypt_r
+	  interfaces, as well as a set of extended interfaces pioneered by
+	  Openwall Linux, crypt_rn, crypt_ra, crypt_gensalt,
+	  crypt_gensalt_rn, and crypt_gensalt_ra.
+
+	  libxcrypt is intended to be used by login(1), passwd(1), and other
+	  similar programs; that is, to hash a small number of passwords
+	  during an interactive authentication dialogue with a human.  It is
+	  not suitable for use in bulk password-cracking applications, or in
+	  any other situation where speed is more important than careful
+	  handling of sensitive data.  However, it is intended to be fast and
+	  lightweight enough for use in servers that must field thousands of
+	  login attempts per minute.
+
+if LIBXCRYPT
+
+config LIBXCRYPT_GLIBC_BINARY_COMPAT
+	bool
+	prompt "Enable full glibc binary compatibility"
+	help
+	  When enabled, this option includes the interfaces for full binary
+	  compatibility with glibc.
+
+	  This setting only affects existing binaries; new programs cannot
+	  be linked against them.
+
+if LIBXCRYPT_GLIBC_BINARY_COMPAT
+
+config LIBXCRYPT_OBSOLETE_STUBS
+	bool
+	prompt "Replace obsolete functions with non-functional stubs"
+	help
+	  If enabled, this option replaces the obsolete APIs (fcrypt,
+	  encrypt{,_r}, and setkey{,_r}) with stubs that set errno to
+	  ENOSYS and return without performing any real operations.
+
+	  For security reasons, the encrypt{,r} functions will also
+	  overwrite their data-block argument with random bits.
+
+	  The fcrypt function will also always return NULL-pointer.
+
+endif
+
+config LIBXCRYPT_BCRYPT_X
+	bool
+	prompt "Support for verifying weak bcrypt ($2x$) hashes"
+	help
+	  The alternative prefix "$2x$" provides bug-compatibility with
+	  crypt_blowfish 1.0.4 and earlier, which incorrectly processed
+	  characters with the 8th bit set.
+
+config LIBXCRYPT_SHA1CRYPT
+	bool
+	prompt "sha1crypt ($sha1) hashing method"
+	help
+	  A hash based on HMAC-SHA1.  Originally developed for NetBSD.
+
+	  Enable this for compatibility with passphrases that have been
+	  hashed on NetBSD.
+
+config LIBXCRYPT_SUNMD5
+	bool
+	prompt "SunMD5 ($md5) hashing method"
+	help
+	  A hash based on the MD5 algorithm, with additional cleverness
+	  to make precomputation difficult.
+
+	  Enable this for full compatibility with passphrases that have
+	  been hashed on Solaris.
+
+config LIBXCRYPT_NTHASH
+	bool
+	prompt "NTHASH ($3$) hashing method"
+	help
+	  The hashing method used for network authentication in some
+	  versions of the SMB/CIFS protocol.
+
+	  Available, for cross-compatibility's sake, on FreeBSD.
+
+config LIBXCRYPT_BSDICRYPT
+	bool
+	prompt "bsdicrypt ($2x$) hashing method"
+	help
+	  A weak extension of traditional DES, which eliminates the
+	  length limit, increases the salt size, and makes the time
+	  cost tunable.
+
+	  It originates with BSDI and is also available on at least
+	  NetBSD, OpenBSD, FreeBSD, and MacOSX.
+
+config LIBXCRYPT_BIGCRYPT
+	bool
+	prompt "bigcrypt hashing method"
+	help
+	  A weak extension of traditional DES, available on some
+	  System V-derived Unixes.  All it does is raise the length
+	  limit from 8 to 128 characters, and it does this in a crude
+	  way that allows attackers to guess chunks of a long passphrase
+	  in parallel.
+
+endif
diff --git a/rules/libxcrypt.make b/rules/libxcrypt.make
new file mode 100644
index 000000000..df5d25b1d
--- /dev/null
+++ b/rules/libxcrypt.make
@@ -0,0 +1,96 @@
+# -*-makefile-*-
+#
+# Copyright (C) 2019 by Bjoern Esser <bes@pengutronix.de>
+#
+# For further information about the PTXdist project and license conditions
+# see the README file.
+#
+
+#
+# We provide this package
+#
+PACKAGES-$(PTXCONF_LIBXCRYPT) += libxcrypt
+
+#
+# Paths and names
+#
+LIBXCRYPT_VERSION	:= 4.4.9
+LIBXCRYPT_MD5		:= 7c2d5206dfb6a72ed464eee812a58fcf
+LIBXCRYPT		:= libxcrypt-$(LIBXCRYPT_VERSION)
+LIBXCRYPT_SUFFIX	:= tar.gz
+LIBXCRYPT_URL		:= https://github.com/besser82/libxcrypt/archive/v$(LIBXCRYPT_VERSION).$(LIBXCRYPT_SUFFIX)
+LIBXCRYPT_SOURCE	:= $(SRCDIR)/$(LIBXCRYPT).$(LIBXCRYPT_SUFFIX)
+LIBXCRYPT_DIR		:= $(BUILDDIR)/$(LIBXCRYPT)
+LIBXCRYPT_LICENSE	:= LGPL-2.1-or-later AND BSD-3-Clause AND BSD-2-Clause AND 0BSD AND public_domain
+LIBXCRYPT_LICENSE_MD5	:= file://LICENSING;md5=3bb6614cf5880cbf1b9dbd9e3d145e2c
+
+# ----------------------------------------------------------------------------
+# Prepare
+# ----------------------------------------------------------------------------
+
+#
+# options
+#
+
+# Hash methods enabled by default.
+HASH_METHODS := glibc,strong
+
+ifdef PTXCONF_LIBXCRYPT_BCRYPT_X
+HASH_METHODS := $(HASH_METHODS),bcrypt_x
+endif
+
+ifdef PTXCONF_LIBXCRYPT_SHA1CRYPT
+HASH_METHODS := $(HASH_METHODS),sha1crypt
+endif
+
+ifdef PTXCONF_LIBXCRYPT_SUNMD5
+HASH_METHODS := $(HASH_METHODS),sunmd5
+endif
+
+ifdef PTXCONF_LIBXCRYPT_NTHASH
+HASH_METHODS := $(HASH_METHODS),nt
+endif
+
+ifdef PTXCONF_LIBXCRYPT_BSDICRYPT
+HASH_METHODS := $(HASH_METHODS),bdsicrypt
+endif
+
+ifdef PTXCONF_LIBXCRYPT_BIGCRYPT
+HASH_METHODS := $(HASH_METHODS),bigcrypt
+endif
+
+#
+# autoconf
+#
+LIBXCRYPT_CONF_TOOL	:= autoconf
+LIBXCRYPT_CONF_OPT	:= \
+	$(CROSS_AUTOCONF_USR) \
+	--disable-failure-tokens \
+	--disable-static \
+	--disable-valgrind \
+	--enable-obsolete-api=$(call ptx/ifdef,PTXCONF_LIBXCRYPT_GLIBC_BINARY_COMPAT,glibc,no) \
+	--enable-obsolete-api-enosys=$(call ptx/ifdef,PTXCONF_LIBXCRYPT_OBSOLETE_STUBS,yes,no) \
+	--enable-hashes=$(HASH_METHODS) \
+	--enable-xcrypt-compat-files
+
+# ----------------------------------------------------------------------------
+# Target-Install
+# ----------------------------------------------------------------------------
+
+$(STATEDIR)/libxcrypt.targetinstall:
+	@$(call targetinfo)
+
+	@$(call install_init, libxcrypt)
+	@$(call install_fixup, libxcrypt,PRIORITY,optional)
+	@$(call install_fixup, libxcrypt,SECTION,base)
+	@$(call install_fixup, libxcrypt,AUTHOR,"Bjoern Esser <bes@pengutronix.de>")
+	@$(call install_fixup, libxcrypt,DESCRIPTION,Extended crypt library for descrypt$(comma) \
+						     md5crypt$(comma) bcrypt$(comma) and others.)
+
+	@$(call install_lib, libxcrypt, 0, 0, 0644, libcrypt)
+
+	@$(call install_finish, libxcrypt)
+
+	@$(call touch)
+
+# vim: syntax=make
-- 
2.23.0


_______________________________________________
ptxdist mailing list
ptxdist@pengutronix.de