Re: [ptxdist] [PATCH v3] libxcrypt: new package

["Björn Esser" <bes@pengutronix.de>]

Hello Ahmad,

On Mi, 2019-09-18 at 12:06 +0200, Ahmad Fatoum wrote:
> Hello Björn,
> 
> On 9/18/19 11:57 AM, Björn Esser wrote:
> > From: Björn Esser <bes@pengutronix.de>
> > 
> > Also implement the needed logic to (optionally) replace
> > the libcrypt from the selected libc with libxcrypt.
> > 
> > libxcrypt is a modern library for one-way hashing of passwords.
> > It supports a wide variety of both modern and historical hashing
> > methods: yescrypt, gost-yescrypt, scrypt, bcrypt, sha512crypt,
> > sha256crypt, md5crypt, SunMD5, sha1crypt, NT, bsdicrypt, bigcrypt,
> > and descrypt. It provides the traditional Unix crypt and crypt_r
> > interfaces, as well as a set of extended interfaces pioneered by
> > Openwall Linux, crypt_rn, crypt_ra, crypt_gensalt,
> > crypt_gensalt_rn,
> > and crypt_gensalt_ra.
> > 
> > libxcrypt is intended to be used by login(1), passwd(1), and other
> > similar programs; that is, to hash a small number of passwords
> > during an interactive authentication dialogue with a human.  It is
> > not suitable for use in bulk password-cracking applications, or in
> > any other situation where speed is more important than careful
> > handling of sensitive data.  However, it is intended to be fast and
> > lightweight enough for use in servers that must field thousands of
> > login attempts per minute.
> > 
> > Signed-off-by: Björn Esser <bes@pengutronix.de>
> > ---
> 
> It's customary to add a simple change log that highlights revision
> differences here after the ---, something like:
> 
> v2 -> v3:
>  - Foo'd the bar ($reviewer1_who_suggested_it)
> v1 -> v2:
>  - Bar'd the foo ($reviewer2)
> 
> For larger patch series, these can be placed in the cover letter.
> 
> Cheers
> Ahmad

excuse me, I'm sorry.  Here is the CLog:

v2 -> v3:
  - Added 3 files that also needed minor adaptions and I forgot to add
    to the initial patch.

v1 -> v2:
  - Adapt the two remarks pointed out by Dennis Osterland

Cheers
Björn


> >  rules/glibc.in       |   4 ++
> >  rules/libc.in        |   7 ++-
> >  rules/libcrypt.in    |  38 +++++++++++++++
> >  rules/libcrypt.make  |  16 ++++++
> >  rules/libxcrypt.in   | 114
> > +++++++++++++++++++++++++++++++++++++++++++
> >  rules/libxcrypt.make |  96 ++++++++++++++++++++++++++++++++++++
> >  rules/uclibc.in      |   4 ++
> >  7 files changed, 275 insertions(+), 4 deletions(-)
> >  create mode 100644 rules/libcrypt.in
> >  create mode 100644 rules/libcrypt.make
> >  create mode 100644 rules/libxcrypt.in
> >  create mode 100644 rules/libxcrypt.make
> > 
> > diff --git a/rules/glibc.in b/rules/glibc.in
> > index 16e5e84d1..0883e0543 100644
> > --- a/rules/glibc.in
> > +++ b/rules/glibc.in
> > @@ -79,12 +79,16 @@ config GLIBC_DL
> >  	  functionality you should probably use libtool instead. It is
> > much more cross
> >  	  platform compatible than dlopen, etc. It also supports BeOS.
> > See related links.
> >  
> > +if NATIVE_CRYPT
> > +
> >  config GLIBC_CRYPT
> >  	bool
> >  	prompt "Install libcrypt"
> >  	help
> >  	  The encryption/decryption library
> >  
> > +endif
> > +
> >  config GLIBC_UTIL
> >  	bool
> >  	prompt "Install libutil"
> > diff --git a/rules/libc.in b/rules/libc.in
> > index b4aa3b9f2..60ceecbe6 100644
> > --- a/rules/libc.in
> > +++ b/rules/libc.in
> > @@ -56,10 +56,9 @@ config LIBC_DL
> >  	select GLIBC_DL			if LIBC_GLIBC
> >  	select UCLIBC_DL		if LIBC_UCLIBC
> >  
> > -config LIBC_CRYPT
> > -	bool
> > -	select GLIBC_CRYPT		if LIBC_GLIBC
> > -	select UCLIBC_CRYPT		if LIBC_UCLIBC
> > +#
> > +# LIBC_CRYPT is handled by rules/libcrypt.in.
> > +#
> >  
> >  config LIBC_UTIL
> >  	bool
> > diff --git a/rules/libcrypt.in b/rules/libcrypt.in
> > new file mode 100644
> > index 000000000..be9642da0
> > --- /dev/null
> > +++ b/rules/libcrypt.in
> > @@ -0,0 +1,38 @@
> > +## SECTION=core
> > +
> > +menuconfig LIBC_CRYPT
> > +	bool
> > +	prompt "POSIX crypt implementation    "
> > +	select LIBXCRYPT	if !NATIVE_CRYPT
> > +	select INTERNAL_CRYPT	if NATIVE_CRYPT
> > +
> > +if LIBC_CRYPT
> > +
> > +choice
> > +	prompt "POSIX crypt implementation    "
> > +	default NATIVE_CRYPT
> > +
> > +	config NATIVE_CRYPT
> > +		bool
> > +		prompt "libc internal"
> > +		help
> > +		  This menu entry selects the basic libcrypt provided
> > +		  by the selected libc implementation of the system.
> > +
> > +	config EXTENDED_CRYPT
> > +		bool
> > +		prompt "libxcrypt    "
> > +		help
> > +		  This menu entry selects the extended libcrypt
> > +		  implementation provided by the libxcrypt package.
> > +
> > +		  Please see "System Libraries" for the configuration
> > +		  options of libxcrypt.
> > +endchoice
> > +
> > +config INTERNAL_CRYPT
> > +	bool
> > +	select GLIBC_CRYPT	if LIBC_GLIBC
> > +	select UCLIBC_CRYPT	if LIBC_UCLIBC
> > +
> > +endif
> > diff --git a/rules/libcrypt.make b/rules/libcrypt.make
> > new file mode 100644
> > index 000000000..0cc526de4
> > --- /dev/null
> > +++ b/rules/libcrypt.make
> > @@ -0,0 +1,16 @@
> > +# -*-makefile-*-
> > +#
> > +# Copyright (C) 2019 by Bjoern Esser <bes@pengutronix.de>
> > +#
> > +# For further information about the PTXdist project and license
> > conditions
> > +# see the README file.
> > +#
> > +
> > +#
> > +# We provide this package
> > +#
> > +PACKAGES-$(PTXCONF_LIBCRYPT) += libcrypt
> > +
> > +LIBCRYPT_LICENSE:= ignore
> > +
> > +# vim: syntax=make
> > diff --git a/rules/libxcrypt.in b/rules/libxcrypt.in
> > new file mode 100644
> > index 000000000..1db488941
> > --- /dev/null
> > +++ b/rules/libxcrypt.in
> > @@ -0,0 +1,114 @@
> > +## SECTION=system_libraries
> > +
> > +menuconfig LIBXCRYPT
> > +	bool
> > +	prompt "libxcrypt                     "
> > +	depends on !NATIVE_CRYPT
> > +	help
> > +	  Extended crypt library for descrypt, md5crypt, bcrypt, and
> > others.
> > +
> > +	  libxcrypt is a modern library for one-way hashing of
> > passwords.
> > +	  It supports a wide variety of both modern and historical
> > hashing
> > +	  methods: yescrypt, gost-yescrypt, scrypt, bcrypt,
> > sha512crypt,
> > +	  sha256crypt, md5crypt, SunMD5, sha1crypt, NT, bsdicrypt,
> > bigcrypt,
> > +	  and descrypt.  It provides the traditional Unix crypt and
> > crypt_r
> > +	  interfaces, as well as a set of extended interfaces pioneered
> > by
> > +	  Openwall Linux, crypt_rn, crypt_ra, crypt_gensalt,
> > +	  crypt_gensalt_rn, and crypt_gensalt_ra.
> > +
> > +	  libxcrypt is intended to be used by login(1), passwd(1), and
> > other
> > +	  similar programs; that is, to hash a small number of
> > passwords
> > +	  during an interactive authentication dialogue with a
> > human.  It is
> > +	  not suitable for use in bulk password-cracking applications,
> > or in
> > +	  any other situation where speed is more important than
> > careful
> > +	  handling of sensitive data.  However, it is intended to be
> > fast and
> > +	  lightweight enough for use in servers that must field
> > thousands of
> > +	  login attempts per minute.
> > +
> > +if LIBXCRYPT
> > +
> > +config LIBXCRYPT_GLIBC_BINARY_COMPAT
> > +	bool
> > +	prompt "Enable full glibc binary compatibility"
> > +	help
> > +	  When enabled, this option includes the interfaces for full
> > binary
> > +	  compatibility with glibc.
> > +
> > +	  This setting only affects existing binaries; new programs
> > cannot
> > +	  be linked against them.
> > +
> > +if LIBXCRYPT_GLIBC_BINARY_COMPAT
> > +
> > +config LIBXCRYPT_OBSOLETE_STUBS
> > +	bool
> > +	prompt "Replace obsolete functions with non-functional stubs"
> > +	help
> > +	  If enabled, this option replaces the obsolete APIs (fcrypt,
> > +	  encrypt{,_r}, and setkey{,_r}) with stubs that set errno to
> > +	  ENOSYS and return without performing any real operations.
> > +
> > +	  For security reasons, the encrypt{,r} functions will also
> > +	  overwrite their data-block argument with random bits.
> > +
> > +	  The fcrypt function will also always return NULL-pointer.
> > +
> > +endif
> > +
> > +config LIBXCRYPT_BCRYPT_X
> > +	bool
> > +	prompt "Support for verifying weak bcrypt ($2x$) hashes"
> > +	help
> > +	  The alternative prefix "$2x$" provides bug-compatibility with
> > +	  crypt_blowfish 1.0.4 and earlier, which incorrectly processed
> > +	  characters with the 8th bit set.
> > +
> > +config LIBXCRYPT_SHA1CRYPT
> > +	bool
> > +	prompt "sha1crypt ($sha1) hashing method"
> > +	help
> > +	  A hash based on HMAC-SHA1.  Originally developed for NetBSD.
> > +
> > +	  Enable this for compatibility with passphrases that have been
> > +	  hashed on NetBSD.
> > +
> > +config LIBXCRYPT_SUNMD5
> > +	bool
> > +	prompt "SunMD5 ($md5) hashing method"
> > +	help
> > +	  A hash based on the MD5 algorithm, with additional cleverness
> > +	  to make precomputation difficult.
> > +
> > +	  Enable this for full compatibility with passphrases that have
> > +	  been hashed on Solaris.
> > +
> > +config LIBXCRYPT_NTHASH
> > +	bool
> > +	prompt "NTHASH ($3$) hashing method"
> > +	help
> > +	  The hashing method used for network authentication in some
> > +	  versions of the SMB/CIFS protocol.
> > +
> > +	  Available, for cross-compatibility's sake, on FreeBSD.
> > +
> > +config LIBXCRYPT_BSDICRYPT
> > +	bool
> > +	prompt "bsdicrypt ($2x$) hashing method"
> > +	help
> > +	  A weak extension of traditional DES, which eliminates the
> > +	  length limit, increases the salt size, and makes the time
> > +	  cost tunable.
> > +
> > +	  It originates with BSDI and is also available on at least
> > +	  NetBSD, OpenBSD, FreeBSD, and MacOSX.
> > +
> > +config LIBXCRYPT_BIGCRYPT
> > +	bool
> > +	prompt "bigcrypt hashing method"
> > +	help
> > +	  A weak extension of traditional DES, available on some
> > +	  System V-derived Unixes.  All it does is raise the length
> > +	  limit from 8 to 128 characters, and it does this in a crude
> > +	  way that allows attackers to guess chunks of a long
> > passphrase
> > +	  in parallel.
> > +
> > +endif
> > diff --git a/rules/libxcrypt.make b/rules/libxcrypt.make
> > new file mode 100644
> > index 000000000..df5d25b1d
> > --- /dev/null
> > +++ b/rules/libxcrypt.make
> > @@ -0,0 +1,96 @@
> > +# -*-makefile-*-
> > +#
> > +# Copyright (C) 2019 by Bjoern Esser <bes@pengutronix.de>
> > +#
> > +# For further information about the PTXdist project and license
> > conditions
> > +# see the README file.
> > +#
> > +
> > +#
> > +# We provide this package
> > +#
> > +PACKAGES-$(PTXCONF_LIBXCRYPT) += libxcrypt
> > +
> > +#
> > +# Paths and names
> > +#
> > +LIBXCRYPT_VERSION	:= 4.4.9
> > +LIBXCRYPT_MD5		:= 7c2d5206dfb6a72ed464eee812a58fcf
> > +LIBXCRYPT		:= libxcrypt-$(LIBXCRYPT_VERSION)
> > +LIBXCRYPT_SUFFIX	:= tar.gz
> > +LIBXCRYPT_URL		:= 
> > https://github.com/besser82/libxcrypt/archive/v$(LIBXCRYPT_VERSION).$(LIBXCRYPT_SUFFIX
> > )
> > +LIBXCRYPT_SOURCE	:= $(SRCDIR)/$(LIBXCRYPT).$(LIBXCRYPT_SUFFIX)
> > +LIBXCRYPT_DIR		:= $(BUILDDIR)/$(LIBXCRYPT)
> > +LIBXCRYPT_LICENSE	:= LGPL-2.1-or-later AND BSD-3-Clause AND BSD-
> > 2-Clause AND 0BSD AND public_domain
> > +LIBXCRYPT_LICENSE_MD5	:=
> > file://LICENSING;md5=3bb6614cf5880cbf1b9dbd9e3d145e2c
> > +
> > +# ----------------------------------------------------------------
> > ------------
> > +# Prepare
> > +# ----------------------------------------------------------------
> > ------------
> > +
> > +#
> > +# options
> > +#
> > +
> > +# Hash methods enabled by default.
> > +HASH_METHODS := glibc,strong
> > +
> > +ifdef PTXCONF_LIBXCRYPT_BCRYPT_X
> > +HASH_METHODS := $(HASH_METHODS),bcrypt_x
> > +endif
> > +
> > +ifdef PTXCONF_LIBXCRYPT_SHA1CRYPT
> > +HASH_METHODS := $(HASH_METHODS),sha1crypt
> > +endif
> > +
> > +ifdef PTXCONF_LIBXCRYPT_SUNMD5
> > +HASH_METHODS := $(HASH_METHODS),sunmd5
> > +endif
> > +
> > +ifdef PTXCONF_LIBXCRYPT_NTHASH
> > +HASH_METHODS := $(HASH_METHODS),nt
> > +endif
> > +
> > +ifdef PTXCONF_LIBXCRYPT_BSDICRYPT
> > +HASH_METHODS := $(HASH_METHODS),bdsicrypt
> > +endif
> > +
> > +ifdef PTXCONF_LIBXCRYPT_BIGCRYPT
> > +HASH_METHODS := $(HASH_METHODS),bigcrypt
> > +endif
> > +
> > +#
> > +# autoconf
> > +#
> > +LIBXCRYPT_CONF_TOOL	:= autoconf
> > +LIBXCRYPT_CONF_OPT	:= \
> > +	$(CROSS_AUTOCONF_USR) \
> > +	--disable-failure-tokens \
> > +	--disable-static \
> > +	--disable-valgrind \
> > +	--enable-obsolete-api=$(call
> > ptx/ifdef,PTXCONF_LIBXCRYPT_GLIBC_BINARY_COMPAT,glibc,no) \
> > +	--enable-obsolete-api-enosys=$(call
> > ptx/ifdef,PTXCONF_LIBXCRYPT_OBSOLETE_STUBS,yes,no) \
> > +	--enable-hashes=$(HASH_METHODS) \
> > +	--enable-xcrypt-compat-files
> > +
> > +# ----------------------------------------------------------------
> > ------------
> > +# Target-Install
> > +# ----------------------------------------------------------------
> > ------------
> > +
> > +$(STATEDIR)/libxcrypt.targetinstall:
> > +	@$(call targetinfo)
> > +
> > +	@$(call install_init, libxcrypt)
> > +	@$(call install_fixup, libxcrypt,PRIORITY,optional)
> > +	@$(call install_fixup, libxcrypt,SECTION,base)
> > +	@$(call install_fixup, libxcrypt,AUTHOR,"Bjoern Esser <
> > bes@pengutronix.de>")
> > +	@$(call install_fixup, libxcrypt,DESCRIPTION,Extended crypt
> > library for descrypt$(comma) \
> > +						     md5crypt$(comma)
> > bcrypt$(comma) and others.)
> > +
> > +	@$(call install_lib, libxcrypt, 0, 0, 0644, libcrypt)
> > +
> > +	@$(call install_finish, libxcrypt)
> > +
> > +	@$(call touch)
> > +
> > +# vim: syntax=make
> > diff --git a/rules/uclibc.in b/rules/uclibc.in
> > index 1fa99eba5..3e4b3d5b3 100644
> > --- a/rules/uclibc.in
> > +++ b/rules/uclibc.in
> > @@ -24,12 +24,16 @@ config UCLIBC_C
> >  
> >  	  Better not turn this option off..
> >  
> > +if NATIVE_CRYPT
> > +
> >  config UCLIBC_CRYPT
> >  	bool
> >  	prompt "Install libcrypt"
> >  	help
> >  	  The encryption/decryption library
> >  
> > +endif
> > +
> >  config UCLIBC_DL
> >  	bool
> >  	prompt "Install libdl"
> > 



_______________________________________________
ptxdist mailing list
ptxdist@pengutronix.de