Re: [ptxdist] [PATCH] libxcrypt: new package

[Denis OSTERLAND <denis.osterland@diehl.com>]

Hi,

Am Montag, den 16.09.2019, 14:57 +0200 schrieb Björn Esser:
> From: Björn Esser <bes@pengutronix.de>
> 
> Also implement the needed logic to (optionally) replace
> the libcrypt from the selected libc with libxcrypt.
> 
> libxcrypt is a modern library for one-way hashing of passwords.
> It supports a wide variety of both modern and historical hashing
> methods: yescrypt, gost-yescrypt, scrypt, bcrypt, sha512crypt,
> sha256crypt, md5crypt, SunMD5, sha1crypt, NT, bsdicrypt, bigcrypt,
> and descrypt. It provides the traditional Unix crypt and crypt_r
> interfaces, as well as a set of extended interfaces pioneered by
> Openwall Linux, crypt_rn, crypt_ra, crypt_gensalt, crypt_gensalt_rn,
> and crypt_gensalt_ra.
> 
> libxcrypt is intended to be used by login(1), passwd(1), and other
> similar programs; that is, to hash a small number of passwords
> during an interactive authentication dialogue with a human.  It is
> not suitable for use in bulk password-cracking applications, or in
> any other situation where speed is more important than careful
> handling of sensitive data.  However, it is intended to be fast and
> lightweight enough for use in servers that must field thousands of
> login attempts per minute.
> 
> Signed-off-by: Björn Esser <bes@pengutronix.de>
> ---
>  rules/libcrypt.in    |  38 +++++++++++++++
>  rules/libcrypt.make  |  16 ++++++
>  rules/libxcrypt.in   | 114 +++++++++++++++++++++++++++++++++++++++++++
>  rules/libxcrypt.make |  95 ++++++++++++++++++++++++++++++++++++
>  4 files changed, 263 insertions(+)
>  create mode 100644 rules/libcrypt.in
>  create mode 100644 rules/libcrypt.make
>  create mode 100644 rules/libxcrypt.in
>  create mode 100644 rules/libxcrypt.make
> 
> diff --git a/rules/libcrypt.in b/rules/libcrypt.in
> new file mode 100644
> index 000000000..9620f143b
> --- /dev/null
> +++ b/rules/libcrypt.in
> @@ -0,0 +1,38 @@
> +## SECTION=core
> +
> +menuconfig LIBC_CRYPT
> +	bool
> +	prompt "POSIX crypt implementation    "
> +	select LIBXCRYPT	if !NATIVE_CRYPT && EXTENDED_CRYPT
> +	select INTERNAL_CRYPT	if NATIVE_CRYPT && !EXTENDED_CRYPT
Could be simplified to:
	select LIBXCRYPT	if EXTENDED_CRYPT
	select INTERNAL_CRYPT	if NATIVE_CRYPT
Because the choice statement ensures that the other one is not selected.

> +
> +if LIBC_CRYPT
> +
> +choice
> +	prompt "POSIX crypt implementation    "
> +	default NATIVE_CRYPT
> +
> +	config NATIVE_CRYPT
> +		bool
> +		prompt "libc internal"
> +		help
> +		  This menu entry selects the basic libcrypt provided
> +		  by the selected libc implementation of the system.
> +
> +	config EXTENDED_CRYPT
> +		bool
> +		prompt "libxcrypt    "
> +		help
> +		  This menu entry selects the extended libcrypt
> +		  implementation provided by the libxcrypt package.
> +
> +		  Please see "System Libraries" for the configuration
> +		  options of libxcrypt.
> +endchoice
> +
> +config INTERNAL_CRYPT
> +	bool
> +	select GLIBC_CRYPT	if LIBC_GLIBC
> +	select UCLIBC_CRYPT	if LIBC_UCLIBC
> +
> +endif
> diff --git a/rules/libcrypt.make b/rules/libcrypt.make
> new file mode 100644
> index 000000000..0cc526de4
> --- /dev/null
> +++ b/rules/libcrypt.make
> @@ -0,0 +1,16 @@
> +# -*-makefile-*-
> +#
> +# Copyright (C) 2019 by Bjoern Esser <bes@pengutronix.de>
> +#
> +# For further information about the PTXdist project and license conditions
> +# see the README file.
> +#
> +
> +#
> +# We provide this package
> +#
> +PACKAGES-$(PTXCONF_LIBCRYPT) += libcrypt
> +
> +LIBCRYPT_LICENSE:= ignore
> +
> +# vim: syntax=make
> diff --git a/rules/libxcrypt.in b/rules/libxcrypt.in
> new file mode 100644
> index 000000000..1db488941
> --- /dev/null
> +++ b/rules/libxcrypt.in
> @@ -0,0 +1,114 @@
> +## SECTION=system_libraries
> +
> +menuconfig LIBXCRYPT
> +	bool
> +	prompt "libxcrypt                     "
> +	depends on !NATIVE_CRYPT
> +	help
> +	  Extended crypt library for descrypt, md5crypt, bcrypt, and others.
> +
> +	  libxcrypt is a modern library for one-way hashing of passwords.
> +	  It supports a wide variety of both modern and historical hashing
> +	  methods: yescrypt, gost-yescrypt, scrypt, bcrypt, sha512crypt,
> +	  sha256crypt, md5crypt, SunMD5, sha1crypt, NT, bsdicrypt, bigcrypt,
> +	  and descrypt.  It provides the traditional Unix crypt and crypt_r
> +	  interfaces, as well as a set of extended interfaces pioneered by
> +	  Openwall Linux, crypt_rn, crypt_ra, crypt_gensalt,
> +	  crypt_gensalt_rn, and crypt_gensalt_ra.
> +
> +	  libxcrypt is intended to be used by login(1), passwd(1), and other
> +	  similar programs; that is, to hash a small number of passwords
> +	  during an interactive authentication dialogue with a human.  It is
> +	  not suitable for use in bulk password-cracking applications, or in
> +	  any other situation where speed is more important than careful
> +	  handling of sensitive data.  However, it is intended to be fast and
> +	  lightweight enough for use in servers that must field thousands of
> +	  login attempts per minute.
> +
> +if LIBXCRYPT
> +
> +config LIBXCRYPT_GLIBC_BINARY_COMPAT
> +	bool
> +	prompt "Enable full glibc binary compatibility"
> +	help
> +	  When enabled, this option includes the interfaces for full binary
> +	  compatibility with glibc.
> +
> +	  This setting only affects existing binaries; new programs cannot
> +	  be linked against them.
> +
> +if LIBXCRYPT_GLIBC_BINARY_COMPAT
> +
> +config LIBXCRYPT_OBSOLETE_STUBS
> +	bool
> +	prompt "Replace obsolete functions with non-functional stubs"
> +	help
> +	  If enabled, this option replaces the obsolete APIs (fcrypt,
> +	  encrypt{,_r}, and setkey{,_r}) with stubs that set errno to
> +	  ENOSYS and return without performing any real operations.
> +
> +	  For security reasons, the encrypt{,r} functions will also
> +	  overwrite their data-block argument with random bits.
> +
> +	  The fcrypt function will also always return NULL-pointer.
> +
> +endif
> +
> +config LIBXCRYPT_BCRYPT_X
> +	bool
> +	prompt "Support for verifying weak bcrypt ($2x$) hashes"
> +	help
> +	  The alternative prefix "$2x$" provides bug-compatibility with
> +	  crypt_blowfish 1.0.4 and earlier, which incorrectly processed
> +	  characters with the 8th bit set.
> +
> +config LIBXCRYPT_SHA1CRYPT
> +	bool
> +	prompt "sha1crypt ($sha1) hashing method"
> +	help
> +	  A hash based on HMAC-SHA1.  Originally developed for NetBSD.
> +
> +	  Enable this for compatibility with passphrases that have been
> +	  hashed on NetBSD.
> +
> +config LIBXCRYPT_SUNMD5
> +	bool
> +	prompt "SunMD5 ($md5) hashing method"
> +	help
> +	  A hash based on the MD5 algorithm, with additional cleverness
> +	  to make precomputation difficult.
> +
> +	  Enable this for full compatibility with passphrases that have
> +	  been hashed on Solaris.
> +
> +config LIBXCRYPT_NTHASH
> +	bool
> +	prompt "NTHASH ($3$) hashing method"
> +	help
> +	  The hashing method used for network authentication in some
> +	  versions of the SMB/CIFS protocol.
> +
> +	  Available, for cross-compatibility's sake, on FreeBSD.
> +
> +config LIBXCRYPT_BSDICRYPT
> +	bool
> +	prompt "bsdicrypt ($2x$) hashing method"
> +	help
> +	  A weak extension of traditional DES, which eliminates the
> +	  length limit, increases the salt size, and makes the time
> +	  cost tunable.
> +
> +	  It originates with BSDI and is also available on at least
> +	  NetBSD, OpenBSD, FreeBSD, and MacOSX.
> +
> +config LIBXCRYPT_BIGCRYPT
> +	bool
> +	prompt "bigcrypt hashing method"
> +	help
> +	  A weak extension of traditional DES, available on some
> +	  System V-derived Unixes.  All it does is raise the length
> +	  limit from 8 to 128 characters, and it does this in a crude
> +	  way that allows attackers to guess chunks of a long passphrase
> +	  in parallel.
> +
> +endif
> diff --git a/rules/libxcrypt.make b/rules/libxcrypt.make
> new file mode 100644
> index 000000000..abfe8152a
> --- /dev/null
> +++ b/rules/libxcrypt.make
> @@ -0,0 +1,95 @@
> +# -*-makefile-*-
> +#
> +# Copyright (C) 2019 by Bjoern Esser <bes@pengutronix.de>
> +#
> +# For further information about the PTXdist project and license conditions
> +# see the README file.
> +#
> +
> +#
> +# We provide this package
> +#
> +PACKAGES-$(PTXCONF_LIBXCRYPT) += libxcrypt
> +
> +#
> +# Paths and names
> +#
> +LIBXCRYPT_VERSION	:= 4.4.9
> +LIBXCRYPT_MD5		:= 7c2d5206dfb6a72ed464eee812a58fcf
> +LIBXCRYPT		:= libxcrypt-$(LIBXCRYPT_VERSION)
> +LIBXCRYPT_SUFFIX	:= tar.gz
> +LIBXCRYPT_URL		:= https://github.com/besser82/libxcrypt/archive/v$(LIBXCRYPT_VERSION).$(LIBXCRYPT_SUFFIX)
> +LIBXCRYPT_SOURCE	:= $(SRCDIR)/$(LIBXCRYPT).$(LIBXCRYPT_SUFFIX)
> +LIBXCRYPT_DIR		:= $(BUILDDIR)/$(LIBXCRYPT)
> +LIBXCRYPT_LICENSE	:= LGPL-2.1-or-later AND BSD-3-Clause AND BSD-2-Clause AND 0BSD AND public_domain
> +LIBXCRYPT_LICENSE_MD5	:= file://LICENSING;md5=3bb6614cf5880cbf1b9dbd9e3d145e2c
> +
> +# ----------------------------------------------------------------------------
> +# Prepare
> +# ----------------------------------------------------------------------------
> +
> +#
> +# options
> +#
> +
> +# Hash methods enabled by default.
> +HASH_METHODS := glibc,strong
> +
> +ifdef PTXCONF_LIBXCRYPT_BCRYPT_X
> +HASH_METHODS := $(HASH_METHODS),bcrypt_x
> +endif
> +
> +ifdef PTXCONF_LIBXCRYPT_SHA1CRYPT
> +HASH_METHODS := $(HASH_METHODS),sha1crypt
> +endif
> +
> +ifdef PTXCONF_LIBXCRYPT_SUNMD5
> +HASH_METHODS := $(HASH_METHODS),sunmd5
> +endif
> +
> +ifdef PTXCONF_LIBXCRYPT_NTHASH
> +HASH_METHODS := $(HASH_METHODS),nt
> +endif
> +
> +ifdef PTXCONF_LIBXCRYPT_BSDICRYPT
> +HASH_METHODS := $(HASH_METHODS),bdsicrypt
> +endif
> +
> +ifdef PTXCONF_LIBXCRYPT_BIGCRYPT
> +HASH_METHODS := $(HASH_METHODS),bigcrypt
> +endif
> +
> +#
> +# autoconf
> +#
> +LIBXCRYPT_CONF_TOOL	:= autoconf
> +LIBXCRYPT_CONF_OPT	:= \
> +	$(CROSS_AUTOCONF_USR) \
> +	--disable-failure-tokens \
> +	--disable-static \
> +	--disable-valgrind \
> +	--enable-obsolete-api=$(call ptx/ifdef,PTXCONF_LIBXCRYPT_GLIBC_BINARY_COMPAT,glibc,no) \
> +	--enable-obsolete-api-enosys=$(call ptx/ifdef,PTXCONF_LIBXCRYPT_OBSOLETE_STUBS,yes,no) \
> +	--enable-hashes=$(HASH_METHODS) \
> +	--enable-xcrypt-compat-files
> +
> +# ----------------------------------------------------------------------------
> +# Target-Install
> +# ----------------------------------------------------------------------------
> +
> +$(STATEDIR)/libxcrypt.targetinstall:
> +	@$(call targetinfo)
> +
> +	@$(call install_init, libxcrypt)
> +	@$(call install_fixup, libxcrypt,PRIORITY,optional)
> +	@$(call install_fixup, libxcrypt,SECTION,base)
> +	@$(call install_fixup, libxcrypt,AUTHOR,"Bjoern Esser <bes@pengutronix.de>")
> +	@$(call install_fixup, libxcrypt,DESCRIPTION,Extended crypt library for descrypt, md5crypt, bcrypt, and others.)
Does this work as intended?
I would expect that only "Extended crypt library for descrypt" is written to the pkg,
because of the ','.

> +
> +	@$(call install_lib, libxcrypt, 0, 0, 0644, libcrypt)
> +
> +	@$(call install_finish, libxcrypt)
> +
> +	@$(call touch)
> +
> +# vim: syntax=make

Regards Denis


Diehl Connectivity Solutions GmbH
Geschäftsführung: Horst Leonberger
Sitz der Gesellschaft: Nürnberg - Registergericht: Amtsgericht
Nürnberg: HRB 32315
___________________________________________________________________________________________________

Der Inhalt der vorstehenden E-Mail ist nicht rechtlich bindend. Diese E-Mail enthaelt vertrauliche und/oder rechtlich geschuetzte Informationen.
Informieren Sie uns bitte, wenn Sie diese E-Mail faelschlicherweise erhalten haben. Bitte loeschen Sie in diesem Fall die Nachricht.
Jede unerlaubte Form der Reproduktion, Bekanntgabe, Aenderung, Verteilung und/oder Publikation dieser E-Mail ist strengstens untersagt.
- Informationen zum Datenschutz, insbesondere zu Ihren Rechten, erhalten Sie unter https://www.diehl.com/group/de/transparenz-und-informationspflichten/

The contents of the above mentioned e-mail is not legally binding. This e-mail contains confidential and/or legally protected information. Please inform us if you have received this e-mail by
mistake and delete it in such a case. Each unauthorized reproduction, disclosure, alteration, distribution and/or publication of this e-mail is strictly prohibited. 
- For general information on data protection and your respective rights please visit https://www.diehl.com/group/en/transparency-and-information-obligations/
_______________________________________________
ptxdist mailing list
ptxdist@pengutronix.de