From mboxrd@z Thu Jan 1 00:00:00 1970 Delivery-date: Fri, 10 Nov 2023 08:28:10 +0100 Received: from metis.whiteo.stw.pengutronix.de ([2a0a:edc0:2:b01:1d::104]) by lore.white.stw.pengutronix.de with esmtps (TLS1.3) tls TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 (Exim 4.96) (envelope-from ) id 1r1Lw1-005UJn-2r for lore@lore.pengutronix.de; Fri, 10 Nov 2023 08:28:10 +0100 Received: from localhost ([127.0.0.1] helo=metis.whiteo.stw.pengutronix.de) by metis.whiteo.stw.pengutronix.de with esmtp (Exim 4.92) (envelope-from ) id 1r1Lw2-0002tw-A1; Fri, 10 Nov 2023 08:28:10 +0100 Received: from drehscheibe.grey.stw.pengutronix.de ([2a0a:edc0:0:c01:1d::a2]) by metis.whiteo.stw.pengutronix.de with esmtps (TLS1.3:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.92) (envelope-from ) id 1r1LtO-0007e5-JK; Fri, 10 Nov 2023 08:25:26 +0100 Received: from [2a0a:edc0:0:1101:1d::54] (helo=dude05.red.stw.pengutronix.de) by drehscheibe.grey.stw.pengutronix.de with esmtps (TLS1.3) tls TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 (Exim 4.94.2) (envelope-from ) id 1r1LtO-007y1Y-6o; Fri, 10 Nov 2023 08:25:26 +0100 Received: from mol by dude05.red.stw.pengutronix.de with local (Exim 4.96) (envelope-from ) id 1r1LtO-00BzqK-0X; Fri, 10 Nov 2023 08:25:26 +0100 From: Michael Olbrich To: ptxdist@pengutronix.de Date: Fri, 10 Nov 2023 08:25:26 +0100 Message-Id: <20231110072526.2859325-1-m.olbrich@pengutronix.de> X-Mailer: git-send-email 2.39.2 In-Reply-To: <358b0e0c-b888-41f1-a21f-f9fa4d15b0fc@ela-soft.com> References: <358b0e0c-b888-41f1-a21f-f9fa4d15b0fc@ela-soft.com> MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Subject: Re: [ptxdist] [APPLIED] libxcrypt: new package X-BeenThere: ptxdist@pengutronix.de X-Mailman-Version: 2.1.29 Precedence: list List-Id: PTXdist Development Mailing List List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Reply-To: ptxdist@pengutronix.de Cc: Andreas Helmcke Sender: "ptxdist" X-SA-Exim-Connect-IP: 127.0.0.1 X-SA-Exim-Mail-From: ptxdist-bounces@pengutronix.de X-SA-Exim-Scanned: No (on metis.whiteo.stw.pengutronix.de); SAEximRunCond expanded to false Thanks, applied as a7d876d7f095a2ba80a7ccc24eb7ce9690ed0792. Michael [sent from post-receive hook] On Fri, 10 Nov 2023 08:25:26 +0100, Andreas Helmcke wrote: > Also implement the needed logic to (optionally) replace > the libcrypt from the selected libc with libxcrypt. > > libxcrypt is a modern library for one-way hashing of passwords. > It supports a wide variety of both modern and historical hashing > methods: yescrypt, gost-yescrypt, scrypt, bcrypt, sha512crypt, > sha256crypt, md5crypt, SunMD5, sha1crypt, NT, bsdicrypt, bigcrypt, > and descrypt. It provides the traditional Unix crypt and crypt_r > interfaces, as well as a set of extended interfaces pioneered by > Openwall Linux, crypt_rn, crypt_ra, crypt_gensalt, crypt_gensalt_rn, > and crypt_gensalt_ra. > > libxcrypt is intended to be used by login(1), passwd(1), and other > similar programs; that is, to hash a small number of passwords > during an interactive authentication dialogue with a human. It is > not suitable for use in bulk password-cracking applications, or in > any other situation where speed is more important than careful > handling of sensitive data. However, it is intended to be fast and > lightweight enough for use in servers that must field thousands of > login attempts per minute. > > Co-authored-by: Björn Esser > Signed-off-by: Björn Esser > Signed-off-by: Andreas Helmcke > Message-Id: <358b0e0c-b888-41f1-a21f-f9fa4d15b0fc@ela-soft.com> > [mol: only use it with glibc and add dependencies] > Signed-off-by: Michael Olbrich > > diff --git a/rules/glibc.in b/rules/glibc.in > index 2bcaa8893e64..03847b2be916 100644 > --- a/rules/glibc.in > +++ b/rules/glibc.in > @@ -28,6 +28,13 @@ config GLIBC_2_34 > libraries can still be selected explicitly here if necessary. > For example if legacy binaries link to such a library. > > +config GLIBC_2_38 > + bool > + prompt "glibc-2.38 or later" > + help > + In glibc-2.38 libcrypt was deprecated and removed afterwards. > + So libxcrypt is needed to provide the libcrypt implmentation. > + > config GLIBC_LD > bool > help > @@ -99,6 +106,7 @@ config GLIBC_DL > > config GLIBC_CRYPT > bool > + depends on !GLIBC_2_38 > prompt "Install libcrypt" > help > The encryption/decryption library > diff --git a/rules/libc.in b/rules/libc.in > index f7d1d2be6c17..34cf9900b714 100644 > --- a/rules/libc.in > +++ b/rules/libc.in > @@ -59,7 +59,10 @@ config LIBC_DL > > config LIBC_CRYPT > bool > - select GLIBC_CRYPT if LIBC_GLIBC > + select GLIBC_CRYPT if LIBC_GLIBC && !GLIBC_2_38 > + select LIBXCRYPT if LIBC_GLIBC && GLIBC_2_38 > + # use virtual here to propagate the dependency > + select VIRTUAL if LIBC_GLIBC && GLIBC_2_38 > select UCLIBC_CRYPT if LIBC_UCLIBC > > config LIBC_UTIL > diff --git a/rules/libxcrypt.in b/rules/libxcrypt.in > new file mode 100644 > index 000000000000..01f9dd4b15b0 > --- /dev/null > +++ b/rules/libxcrypt.in > @@ -0,0 +1,42 @@ > +## SECTION=system_libraries > + > +menuconfig LIBXCRYPT > + bool > + prompt "libxcrypt " > + help > + Extended crypt library for descrypt, md5crypt, bcrypt, and others. > + > + libxcrypt is a modern library for one-way hashing of passwords. > + It supports a wide variety of both modern and historical hashing > + methods: yescrypt, gost-yescrypt, scrypt, bcrypt, sha512crypt, > + sha256crypt, md5crypt, SunMD5, sha1crypt, NT, bsdicrypt, bigcrypt, > + and descrypt. It provides the traditional Unix crypt and crypt_r > + interfaces, as well as a set of extended interfaces pioneered by > + Openwall Linux, crypt_rn, crypt_ra, crypt_gensalt, > + crypt_gensalt_rn, and crypt_gensalt_ra. > + > + libxcrypt is intended to be used by login(1), passwd(1), and other > + similar programs; that is, to hash a small number of passwords > + during an interactive authentication dialogue with a human. It is > + not suitable for use in bulk password-cracking applications, or in > + any other situation where speed is more important than careful > + handling of sensitive data. However, it is intended to be fast and > + lightweight enough for use in servers that must field thousands of > + login attempts per minute. > + > +if LIBXCRYPT > + > +config LIBXCRYPT_OBSOLETE_STUBS > + bool > + prompt "Replace obsolete functions with non-functional stubs" > + help > + If enabled, this option replaces the obsolete APIs (fcrypt, > + encrypt{,_r}, and setkey{,_r}) with stubs that set errno to > + ENOSYS and return without performing any real operations. > + > + For security reasons, the encrypt{,r} functions will also > + overwrite their data-block argument with random bits. > + > + The fcrypt function will also always return NULL-pointer. > + > +endif > diff --git a/rules/libxcrypt.make b/rules/libxcrypt.make > new file mode 100644 > index 000000000000..e048968d0cc4 > --- /dev/null > +++ b/rules/libxcrypt.make > @@ -0,0 +1,71 @@ > +# -*-makefile-*- > +# > +# Copyright (C) 2019 by Bjoern Esser > +# > +# For further information about the PTXdist project and license conditions > +# see the README file. > +# > + > +# > +# We provide this package > +# > +PACKAGES-$(PTXCONF_LIBXCRYPT) += libxcrypt > + > +# > +# Paths and names > +# > +LIBXCRYPT_VERSION := 4.4.36 > +LIBXCRYPT_MD5 := b84cd4104e08c975063ec6c4d0372446 > +LIBXCRYPT := libxcrypt-$(LIBXCRYPT_VERSION) > +LIBXCRYPT_SUFFIX := tar.xz > +LIBXCRYPT_URL := https://github.com/besser82/libxcrypt/releases/download/v$(LIBXCRYPT_VERSION)/$(LIBXCRYPT).$(LIBXCRYPT_SUFFIX) > +LIBXCRYPT_SOURCE := $(SRCDIR)/$(LIBXCRYPT).$(LIBXCRYPT_SUFFIX) > +LIBXCRYPT_DIR := $(BUILDDIR)/$(LIBXCRYPT) > +LIBXCRYPT_LICENSE := LGPL-2.1-or-later AND BSD-3-Clause AND BSD-2-Clause AND 0BSD AND public_domain > +LIBXCRYPT_LICENSE_MD5 := file://LICENSING;md5=3bb6614cf5880cbf1b9dbd9e3d145e2c > + > +# ---------------------------------------------------------------------------- > +# Prepare > +# ---------------------------------------------------------------------------- > + > +# > +# options > +# > + > +# Hash methods enabled by default. > +HASH_METHODS := glibc,strong > + > +# > +# autoconf > +# > +LIBXCRYPT_CONF_TOOL := autoconf > +LIBXCRYPT_CONF_OPT := \ > + $(CROSS_AUTOCONF_USR) \ > + --disable-failure-tokens \ > + --disable-static \ > + --disable-valgrind \ > + --enable-obsolete-api \ > + --enable-obsolete-api-enosys=$(call ptx/ifdef,PTXCONF_LIBXCRYPT_OBSOLETE_STUBS,yes,no) \ > + --enable-hashes=$(HASH_METHODS) \ > + --enable-xcrypt-compat-files > + > +# ---------------------------------------------------------------------------- > +# Target-Install > +# ---------------------------------------------------------------------------- > + > +$(STATEDIR)/libxcrypt.targetinstall: > + @$(call targetinfo) > + > + @$(call install_init, libxcrypt) > + @$(call install_fixup, libxcrypt,PRIORITY,optional) > + @$(call install_fixup, libxcrypt,SECTION,base) > + @$(call install_fixup, libxcrypt,AUTHOR,"Bjoern Esser ") > + @$(call install_fixup, libxcrypt,DESCRIPTION,Extended crypt library) > + > + @$(call install_lib, libxcrypt, 0, 0, 0644, libcrypt) > + > + @$(call install_finish, libxcrypt) > + > + @$(call touch) > + > +# vim: syntax=make