Re: [ptxdist] [APPLIED] libxcrypt: new package

[Michael Olbrich <m.olbrich@pengutronix.de>]

Thanks, applied as a7d876d7f095a2ba80a7ccc24eb7ce9690ed0792.

Michael

[sent from post-receive hook]

On Fri, 10 Nov 2023 08:25:26 +0100, Andreas Helmcke <ahelmcke@ela-soft.com> wrote:
> Also implement the needed logic to (optionally) replace
> the libcrypt from the selected libc with libxcrypt.
> 
> libxcrypt is a modern library for one-way hashing of passwords.
> It supports a wide variety of both modern and historical hashing
> methods: yescrypt, gost-yescrypt, scrypt, bcrypt, sha512crypt,
> sha256crypt, md5crypt, SunMD5, sha1crypt, NT, bsdicrypt, bigcrypt,
> and descrypt. It provides the traditional Unix crypt and crypt_r
> interfaces, as well as a set of extended interfaces pioneered by
> Openwall Linux, crypt_rn, crypt_ra, crypt_gensalt, crypt_gensalt_rn,
> and crypt_gensalt_ra.
> 
> libxcrypt is intended to be used by login(1), passwd(1), and other
> similar programs; that is, to hash a small number of passwords
> during an interactive authentication dialogue with a human.  It is
> not suitable for use in bulk password-cracking applications, or in
> any other situation where speed is more important than careful
> handling of sensitive data.  However, it is intended to be fast and
> lightweight enough for use in servers that must field thousands of
> login attempts per minute.
> 
> Co-authored-by: Björn Esser <bes@pengutronix.de>
> Signed-off-by: Björn Esser <bes@pengutronix.de>
> Signed-off-by: Andreas Helmcke <ahelmcke@ela-soft.com>
> Message-Id: <358b0e0c-b888-41f1-a21f-f9fa4d15b0fc@ela-soft.com>
> [mol: only use it with glibc and add dependencies]
> Signed-off-by: Michael Olbrich <m.olbrich@pengutronix.de>
> 
> diff --git a/rules/glibc.in b/rules/glibc.in
> index 2bcaa8893e64..03847b2be916 100644
> --- a/rules/glibc.in
> +++ b/rules/glibc.in
> @@ -28,6 +28,13 @@ config GLIBC_2_34
>  	  libraries can still be selected explicitly here if necessary.
>  	  For example if legacy binaries link to such a library.
>  
> +config GLIBC_2_38
> +	bool
> +	prompt "glibc-2.38 or later"
> +	help
> +	  In glibc-2.38 libcrypt was deprecated and removed afterwards.
> +	  So libxcrypt is needed to provide the libcrypt implmentation.
> +
>  config GLIBC_LD
>  	bool
>  	help
> @@ -99,6 +106,7 @@ config GLIBC_DL
>  
>  config GLIBC_CRYPT
>  	bool
> +	depends on !GLIBC_2_38
>  	prompt "Install libcrypt"
>  	help
>  	  The encryption/decryption library
> diff --git a/rules/libc.in b/rules/libc.in
> index f7d1d2be6c17..34cf9900b714 100644
> --- a/rules/libc.in
> +++ b/rules/libc.in
> @@ -59,7 +59,10 @@ config LIBC_DL
>  
>  config LIBC_CRYPT
>  	bool
> -	select GLIBC_CRYPT		if LIBC_GLIBC
> +	select GLIBC_CRYPT		if LIBC_GLIBC && !GLIBC_2_38
> +	select LIBXCRYPT		if LIBC_GLIBC && GLIBC_2_38
> +	# use virtual here to propagate the dependency
> +	select VIRTUAL			if LIBC_GLIBC && GLIBC_2_38
>  	select UCLIBC_CRYPT		if LIBC_UCLIBC
>  
>  config LIBC_UTIL
> diff --git a/rules/libxcrypt.in b/rules/libxcrypt.in
> new file mode 100644
> index 000000000000..01f9dd4b15b0
> --- /dev/null
> +++ b/rules/libxcrypt.in
> @@ -0,0 +1,42 @@
> +## SECTION=system_libraries
> +
> +menuconfig LIBXCRYPT
> +	bool
> +	prompt "libxcrypt                     "
> +	help
> +	  Extended crypt library for descrypt, md5crypt, bcrypt, and others.
> +
> +	  libxcrypt is a modern library for one-way hashing of passwords.
> +	  It supports a wide variety of both modern and historical hashing
> +	  methods: yescrypt, gost-yescrypt, scrypt, bcrypt, sha512crypt,
> +	  sha256crypt, md5crypt, SunMD5, sha1crypt, NT, bsdicrypt, bigcrypt,
> +	  and descrypt.  It provides the traditional Unix crypt and crypt_r
> +	  interfaces, as well as a set of extended interfaces pioneered by
> +	  Openwall Linux, crypt_rn, crypt_ra, crypt_gensalt,
> +	  crypt_gensalt_rn, and crypt_gensalt_ra.
> +
> +	  libxcrypt is intended to be used by login(1), passwd(1), and other
> +	  similar programs; that is, to hash a small number of passwords
> +	  during an interactive authentication dialogue with a human.  It is
> +	  not suitable for use in bulk password-cracking applications, or in
> +	  any other situation where speed is more important than careful
> +	  handling of sensitive data.  However, it is intended to be fast and
> +	  lightweight enough for use in servers that must field thousands of
> +	  login attempts per minute.
> +
> +if LIBXCRYPT
> +
> +config LIBXCRYPT_OBSOLETE_STUBS
> +	bool
> +	prompt "Replace obsolete functions with non-functional stubs"
> +	help
> +	  If enabled, this option replaces the obsolete APIs (fcrypt,
> +	  encrypt{,_r}, and setkey{,_r}) with stubs that set errno to
> +	  ENOSYS and return without performing any real operations.
> +
> +	  For security reasons, the encrypt{,r} functions will also
> +	  overwrite their data-block argument with random bits.
> +
> +	  The fcrypt function will also always return NULL-pointer.
> +
> +endif
> diff --git a/rules/libxcrypt.make b/rules/libxcrypt.make
> new file mode 100644
> index 000000000000..e048968d0cc4
> --- /dev/null
> +++ b/rules/libxcrypt.make
> @@ -0,0 +1,71 @@
> +# -*-makefile-*-
> +#
> +# Copyright (C) 2019 by Bjoern Esser <bes@pengutronix.de>
> +#
> +# For further information about the PTXdist project and license conditions
> +# see the README file.
> +#
> +
> +#
> +# We provide this package
> +#
> +PACKAGES-$(PTXCONF_LIBXCRYPT) += libxcrypt
> +
> +#
> +# Paths and names
> +#
> +LIBXCRYPT_VERSION	:= 4.4.36
> +LIBXCRYPT_MD5		:= b84cd4104e08c975063ec6c4d0372446
> +LIBXCRYPT		:= libxcrypt-$(LIBXCRYPT_VERSION)
> +LIBXCRYPT_SUFFIX	:= tar.xz
> +LIBXCRYPT_URL		:= https://github.com/besser82/libxcrypt/releases/download/v$(LIBXCRYPT_VERSION)/$(LIBXCRYPT).$(LIBXCRYPT_SUFFIX)
> +LIBXCRYPT_SOURCE	:= $(SRCDIR)/$(LIBXCRYPT).$(LIBXCRYPT_SUFFIX)
> +LIBXCRYPT_DIR		:= $(BUILDDIR)/$(LIBXCRYPT)
> +LIBXCRYPT_LICENSE	:= LGPL-2.1-or-later AND BSD-3-Clause AND BSD-2-Clause AND 0BSD AND public_domain
> +LIBXCRYPT_LICENSE_MD5	:= file://LICENSING;md5=3bb6614cf5880cbf1b9dbd9e3d145e2c
> +
> +# ----------------------------------------------------------------------------
> +# Prepare
> +# ----------------------------------------------------------------------------
> +
> +#
> +# options
> +#
> +
> +# Hash methods enabled by default.
> +HASH_METHODS := glibc,strong
> +
> +#
> +# autoconf
> +#
> +LIBXCRYPT_CONF_TOOL	:= autoconf
> +LIBXCRYPT_CONF_OPT	:= \
> +	$(CROSS_AUTOCONF_USR) \
> +	--disable-failure-tokens \
> +	--disable-static \
> +	--disable-valgrind \
> +	--enable-obsolete-api \
> +	--enable-obsolete-api-enosys=$(call ptx/ifdef,PTXCONF_LIBXCRYPT_OBSOLETE_STUBS,yes,no) \
> +	--enable-hashes=$(HASH_METHODS) \
> +	--enable-xcrypt-compat-files
> +
> +# ----------------------------------------------------------------------------
> +# Target-Install
> +# ----------------------------------------------------------------------------
> +
> +$(STATEDIR)/libxcrypt.targetinstall:
> +	@$(call targetinfo)
> +
> +	@$(call install_init, libxcrypt)
> +	@$(call install_fixup, libxcrypt,PRIORITY,optional)
> +	@$(call install_fixup, libxcrypt,SECTION,base)
> +	@$(call install_fixup, libxcrypt,AUTHOR,"Bjoern Esser <bes@pengutronix.de>")
> +	@$(call install_fixup, libxcrypt,DESCRIPTION,Extended crypt library)
> +
> +	@$(call install_lib, libxcrypt, 0, 0, 0644, libcrypt)
> +
> +	@$(call install_finish, libxcrypt)
> +
> +	@$(call touch)
> +
> +# vim: syntax=make