From mboxrd@z Thu Jan 1 00:00:00 1970 Delivery-date: Mon, 16 Oct 2023 19:02:25 +0200 Received: from metis.whiteo.stw.pengutronix.de ([2a0a:edc0:2:b01:1d::104]) by lore.white.stw.pengutronix.de with esmtps (TLS1.3) tls TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 (Exim 4.94.2) (envelope-from ) id 1qsQz4-00AloJ-Ak for lore@lore.pengutronix.de; Mon, 16 Oct 2023 19:02:25 +0200 Received: from localhost ([127.0.0.1] helo=metis.whiteo.stw.pengutronix.de) by metis.whiteo.stw.pengutronix.de with esmtp (Exim 4.92) (envelope-from ) id 1qsQz2-00019d-Kk; Mon, 16 Oct 2023 19:02:24 +0200 Received: from mail.ela-soft.com ([213.23.49.162]) by metis.whiteo.stw.pengutronix.de with esmtps (TLS1.3:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.92) (envelope-from ) id 1qsQye-00018r-Oj for ptxdist@pengutronix.de; Mon, 16 Oct 2023 19:02:02 +0200 Received: from [10.0.1.140] (tupai.ela-bln.local [10.0.1.140]) by mail.ela-soft.com (mailsystem) with ESMTPSA id 2847015D30 for ; Mon, 16 Oct 2023 19:02:00 +0200 (CEST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=ela-soft.com; s=2021; t=1697475720; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:mime-version:mime-version:content-type:content-type: content-transfer-encoding:content-transfer-encoding: in-reply-to:in-reply-to:references:references:autocrypt:autocrypt; bh=0sWBlQvOMMiiH3pb6OII0k0n+Lc4sJ3WH0hpE58Nqqw=; b=GddcVI/tWwyfz5zK8Wmk5KhlvIccFGuSZnFeu+REaqkNZOWEJE9P7uqFbxB2Gdb0vGcr08 vN2SxMC/OziOtA6cxGMvhgiayHEeV+r2aArJ4W+9xka/bPA+6wvOM+/VA9Ekd/b2v9dWjM Y3FgmmHsUMN0gNSmEyMmiCOLTMVZtF+S2NvbDVDoTucv60e2PyN7vI8FQ3GNBApAgyVw86 /aTGlZzcZFThbxVSmQ+kRx/AIpjHHPw17SBOYhgB12bTpXhzytfQNPugSKcgPRhJhO5we6 hcjIGQKgW2Eb+aM006n2tJjRPt+hCeVsjtMY6b+Cea1thKDoPqYwKVxKETbHRg== Message-ID: <358b0e0c-b888-41f1-a21f-f9fa4d15b0fc@ela-soft.com> Date: Mon, 16 Oct 2023 19:01:59 +0200 MIME-Version: 1.0 User-Agent: Mozilla Thunderbird From: Andreas Helmcke To: ptxdist@pengutronix.de References: <6c96f889fd74c14b7153d621e46cc1248ddfc0cb.camel@pengutronix.de> <20190923100706.1994-1-b.esser@pengutronix.de> <344fbd54-321f-8b45-81c4-b617af872bc5@helmcke.name> Autocrypt: addr=ahelmcke@ela-soft.com; keydata= xsDiBDqtzDQRBADYJNLjNC+RK93Lhqx89UudxF0GIBfb+7AzjKRMe1aWRB5o3a14vm7ScQh+ xFIw8j2jaxM1jNZ/6eZw3nT8vy/3gRVazBnJg/JXKxU0axpvCwioodS8UKy82Wp89Gya+yhF IH10Q/2Rp2Y33oxbmwAl/YSS8eqN2oPjCrnCbEWcQQCg/w2d6Pwilu2ajlxtNby1lXOs7R0E AIveEzbSpi5hFsUgRz3MEnvBxTYvP3F0yU8x/LPl08FTa+0kNb+8FVqPxNPenBAtX0mRPLLA BRknO9xEQ8Zi1bnQ3/1Gcj1W+92XIClMkFJWTxPn5lmHOLsH1K/FaWEDS9z1+usxgPVDUVxT MbPSxhXxJU7S9tC02noI0rB1/0WLBACGNP3II9pZ5cZJP7ZBje/LtZCMK+anx6Ix9DHBpedL kkPYFBwSCEB9AciFtPa0IVkuvynqnyeiyfdwQK7ul9nMowjSWarnmWcdQkByfMNzEdVQF1oy IV+FJCx3bPYc6Bxb8mRmwEK7s6i8Y3qdgFwyyphGTWkMcFtvTr/Tknf3L80nQW5kcmVhcyBI ZWxtY2tlIDxhaGVsbWNrZUBlbGEtc29mdC5jb20+wn0EExEIAD0CGwMGCwkIBwMCBBUCCAME FgIDAQIeAQIXgBYhBFA9ZZ0xTAe07lSeJg1WleJJOvBfBQJigjivBQkts1p6AAoJEA1WleJJ OvBfJwoAoLhmWTcXdFaqxcJpbZG2Wtb3ScCLAJ9ya78PPO4bbUqj0DbXDYL6ylWLhc7BTQQ6 rcw0EAgA9kJXtwh/CBdyorrWqULzBej5UxE5T7bxbrlLOCDaAadWoxTpj0BV89AHxstDqZSt 90xkhkn4DIO9ZekX1KHTUPj1WV/cdlJPPT2N286Z4VeSWc39uK50T8X8dryDxUcwYc58yWb/ Ffm7/ZFexwGq01uejaClcjrUGvC/RgBYK+X0iP1YTknbzSC0neSRBzZrM2w4DUUdD3yIsxx8 Wy2O9vPJI8BD8KVbGI2Ou1WMuF040zT9fBdXQ6MdGGzeMyEstSr/POGxKUAYEY18hKcKctaG xAMZyAcpesqVDNmWn6vQClCbAkbTCD1mpF1Bn5x8vYlLIhkmuquiXsNV6TILOwACAggAwYsD zwilCtMj1WbBxKHhjyLf57L0AJsHx1SB8gixbvSS9Z1lvWri7UXwljvI747af56DgwxWs+/p c/voH/xkVHdgSEf4AuUc2lWQcoFmNHo8QJKN4An1j1H7DvJXKyffRLHj7YsgQ7NPs8/FsPm9 69oHX61xuzRiY7ndi34DduMjChFvoWV/ddQjitjvekP5gCm64TGQg23mUMGixuTWXAgUmgN0 fHPieqYXqVvEgwChgm1iZQJDSQ0sYRfOqfMK4vvwQCp6aSlRPrd06EKaOvxCL8HWUWX7tPzt n3BwxNU8uWqXFejPTymRry3WsoABRgpBvAhO8+ByoRA1ZV9EK8JpBBgRCAApBRsMAAAAFiEE UD1lnTFMB7TuVJ4mDVaV4kk68F8FAmKCOK8FCS2zWnoACgkQDVaV4kk68F9yrACdGIe4ZU1K S633UcVEUIH8vAQ/qCAAnjXHahTIOEw5yN93a2o6INLx6FlP Content-Language: en-US In-Reply-To: <344fbd54-321f-8b45-81c4-b617af872bc5@helmcke.name> Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit X-Spam-Checker-Version: SpamAssassin 3.4.2 (2018-09-13) on metis.whiteo.stw.pengutronix.de X-Spam-Level: X-Spam-Status: No, score=-102.2 required=4.0 tests=AWL,BAYES_00,DKIM_SIGNED, DKIM_VALID,DKIM_VALID_AU,DKIM_VALID_EF,SPF_HELO_NONE,SPF_PASS, USER_IN_WELCOMELIST,USER_IN_WHITELIST autolearn=ham autolearn_force=no version=3.4.2 Subject: [ptxdist] [PATCH v9] libxcrypt: new package X-BeenThere: ptxdist@pengutronix.de X-Mailman-Version: 2.1.29 Precedence: list List-Id: PTXdist Development Mailing List List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Reply-To: ptxdist@pengutronix.de Sender: "ptxdist" X-SA-Exim-Connect-IP: 127.0.0.1 X-SA-Exim-Mail-From: ptxdist-bounces@pengutronix.de X-SA-Exim-Scanned: No (on metis.whiteo.stw.pengutronix.de); SAEximRunCond expanded to false Also implement the needed logic to (optionally) replace the libcrypt from the selected libc with libxcrypt. libxcrypt is a modern library for one-way hashing of passwords. It supports a wide variety of both modern and historical hashing methods: yescrypt, gost-yescrypt, scrypt, bcrypt, sha512crypt, sha256crypt, md5crypt, SunMD5, sha1crypt, NT, bsdicrypt, bigcrypt, and descrypt. It provides the traditional Unix crypt and crypt_r interfaces, as well as a set of extended interfaces pioneered by Openwall Linux, crypt_rn, crypt_ra, crypt_gensalt, crypt_gensalt_rn, and crypt_gensalt_ra. libxcrypt is intended to be used by login(1), passwd(1), and other similar programs; that is, to hash a small number of passwords during an interactive authentication dialogue with a human. It is not suitable for use in bulk password-cracking applications, or in any other situation where speed is more important than careful handling of sensitive data. However, it is intended to be fast and lightweight enough for use in servers that must field thousands of login attempts per minute. Co-authored-by: Björn Esser Signed-off-by: Björn Esser Signed-off-by: Andreas Helmcke --- v8 -> v9: - Update libxcrypt 4.4.24 -> 4.4.36 - Rebased to current HEAD (90875f8a) - Updated Signed-off-by email-address v7 -> v8: - Rebased to current HEAD - Updated commit message Co-authored-by and Signed-off-by lines. v6 -> v7: - Applied the changes recommended by Michael Olbrich v5 -> v6: (by Andreas Helmcke) - Updated commit message to properly address authors v4 -> v5: (by Andreas Helmcke) - Update libxcrypt 4.4.10 -> 4.4.24 - Changed download url to official tar, which does not need autoconf - Changed the config variable names to reflect menu structure - Corrected two typos original work by Björn Esser : v3 -> v4: - Update libxcrypt 4.4.9 -> 4.4.10 v2 -> v3: - Added 3 files that also needed minor adaptions and I forgot to add to the initial patch. v1 -> v2: - Adapt the two remarks pointed out by Dennis Osterland rules/glibc.in | 3 +- rules/libc.in | 8 +++-- rules/libxcrypt.in | 42 ++++++++++++++++++++++++++ rules/libxcrypt.make | 71 ++++++++++++++++++++++++++++++++++++++++++++ rules/uclibc.in | 3 +- 5 files changed, 123 insertions(+), 4 deletions(-) create mode 100644 rules/libxcrypt.in create mode 100644 rules/libxcrypt.make diff --git a/rules/glibc.in b/rules/glibc.in index 2bcaa8893..67688ef49 100644 --- a/rules/glibc.in +++ b/rules/glibc.in @@ -99,7 +99,8 @@ config GLIBC_DL config GLIBC_CRYPT bool - prompt "Install libcrypt" + prompt "Install libcrypt" if LIBC_CRYPT_NATIVE_CRYPT + default no if !LIBC_CRYPT_NATIVE_CRYPT help The encryption/decryption library diff --git a/rules/libc.in b/rules/libc.in index f7d1d2be6..1ce26297d 100644 --- a/rules/libc.in +++ b/rules/libc.in @@ -27,6 +27,10 @@ choice prompt "uClibc " endchoice +config LIBC_CRYPT_NATIVE_CRYPT + bool + default !LIBXCRYPT + source "generated/libc.in" endif @@ -59,8 +63,8 @@ config LIBC_DL config LIBC_CRYPT bool - select GLIBC_CRYPT if LIBC_GLIBC - select UCLIBC_CRYPT if LIBC_UCLIBC + select GLIBC_CRYPT if LIBC_GLIBC && LIBC_CRYPT_NATIVE_CRYPT + select UCLIBC_CRYPT if LIBC_UCLIBC && LIBC_CRYPT_NATIVE_CRYPT config LIBC_UTIL bool diff --git a/rules/libxcrypt.in b/rules/libxcrypt.in new file mode 100644 index 000000000..01f9dd4b1 --- /dev/null +++ b/rules/libxcrypt.in @@ -0,0 +1,42 @@ +## SECTION=system_libraries + +menuconfig LIBXCRYPT + bool + prompt "libxcrypt " + help + Extended crypt library for descrypt, md5crypt, bcrypt, and others. + + libxcrypt is a modern library for one-way hashing of passwords. + It supports a wide variety of both modern and historical hashing + methods: yescrypt, gost-yescrypt, scrypt, bcrypt, sha512crypt, + sha256crypt, md5crypt, SunMD5, sha1crypt, NT, bsdicrypt, bigcrypt, + and descrypt. It provides the traditional Unix crypt and crypt_r + interfaces, as well as a set of extended interfaces pioneered by + Openwall Linux, crypt_rn, crypt_ra, crypt_gensalt, + crypt_gensalt_rn, and crypt_gensalt_ra. + + libxcrypt is intended to be used by login(1), passwd(1), and other + similar programs; that is, to hash a small number of passwords + during an interactive authentication dialogue with a human. It is + not suitable for use in bulk password-cracking applications, or in + any other situation where speed is more important than careful + handling of sensitive data. However, it is intended to be fast and + lightweight enough for use in servers that must field thousands of + login attempts per minute. + +if LIBXCRYPT + +config LIBXCRYPT_OBSOLETE_STUBS + bool + prompt "Replace obsolete functions with non-functional stubs" + help + If enabled, this option replaces the obsolete APIs (fcrypt, + encrypt{,_r}, and setkey{,_r}) with stubs that set errno to + ENOSYS and return without performing any real operations. + + For security reasons, the encrypt{,r} functions will also + overwrite their data-block argument with random bits. + + The fcrypt function will also always return NULL-pointer. + +endif diff --git a/rules/libxcrypt.make b/rules/libxcrypt.make new file mode 100644 index 000000000..e048968d0 --- /dev/null +++ b/rules/libxcrypt.make @@ -0,0 +1,71 @@ +# -*-makefile-*- +# +# Copyright (C) 2019 by Bjoern Esser +# +# For further information about the PTXdist project and license conditions +# see the README file. +# + +# +# We provide this package +# +PACKAGES-$(PTXCONF_LIBXCRYPT) += libxcrypt + +# +# Paths and names +# +LIBXCRYPT_VERSION := 4.4.36 +LIBXCRYPT_MD5 := b84cd4104e08c975063ec6c4d0372446 +LIBXCRYPT := libxcrypt-$(LIBXCRYPT_VERSION) +LIBXCRYPT_SUFFIX := tar.xz +LIBXCRYPT_URL := https://github.com/besser82/libxcrypt/releases/download/v$(LIBXCRYPT_VERSION)/$(LIBXCRYPT).$(LIBXCRYPT_SUFFIX) +LIBXCRYPT_SOURCE := $(SRCDIR)/$(LIBXCRYPT).$(LIBXCRYPT_SUFFIX) +LIBXCRYPT_DIR := $(BUILDDIR)/$(LIBXCRYPT) +LIBXCRYPT_LICENSE := LGPL-2.1-or-later AND BSD-3-Clause AND BSD-2-Clause AND 0BSD AND public_domain +LIBXCRYPT_LICENSE_MD5 := file://LICENSING;md5=3bb6614cf5880cbf1b9dbd9e3d145e2c + +# ---------------------------------------------------------------------------- +# Prepare +# ---------------------------------------------------------------------------- + +# +# options +# + +# Hash methods enabled by default. +HASH_METHODS := glibc,strong + +# +# autoconf +# +LIBXCRYPT_CONF_TOOL := autoconf +LIBXCRYPT_CONF_OPT := \ + $(CROSS_AUTOCONF_USR) \ + --disable-failure-tokens \ + --disable-static \ + --disable-valgrind \ + --enable-obsolete-api \ + --enable-obsolete-api-enosys=$(call ptx/ifdef,PTXCONF_LIBXCRYPT_OBSOLETE_STUBS,yes,no) \ + --enable-hashes=$(HASH_METHODS) \ + --enable-xcrypt-compat-files + +# ---------------------------------------------------------------------------- +# Target-Install +# ---------------------------------------------------------------------------- + +$(STATEDIR)/libxcrypt.targetinstall: + @$(call targetinfo) + + @$(call install_init, libxcrypt) + @$(call install_fixup, libxcrypt,PRIORITY,optional) + @$(call install_fixup, libxcrypt,SECTION,base) + @$(call install_fixup, libxcrypt,AUTHOR,"Bjoern Esser ") + @$(call install_fixup, libxcrypt,DESCRIPTION,Extended crypt library) + + @$(call install_lib, libxcrypt, 0, 0, 0644, libcrypt) + + @$(call install_finish, libxcrypt) + + @$(call touch) + +# vim: syntax=make diff --git a/rules/uclibc.in b/rules/uclibc.in index 1fa99eba5..39d8ca3d7 100644 --- a/rules/uclibc.in +++ b/rules/uclibc.in @@ -26,7 +26,8 @@ config UCLIBC_C config UCLIBC_CRYPT bool - prompt "Install libcrypt" + prompt "Install libcrypt" if LIBC_CRYPT_NATIVE_CRYPT + default no if !LIBC_CRYPT_NATIVE_CRYPT help The encryption/decryption library -- 2.39.2