From mboxrd@z Thu Jan 1 00:00:00 1970 Delivery-date: Thu, 05 May 2022 09:28:13 +0200 Received: from metis.ext.pengutronix.de ([2001:67c:670:201:290:27ff:fe1d:cc33]) by lore.white.stw.pengutronix.de with esmtps (TLS1.3) tls TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 (Exim 4.94.2) (envelope-from ) id 1nmVuH-002Rh2-4K for lore@lore.pengutronix.de; Thu, 05 May 2022 09:28:13 +0200 Received: from localhost ([127.0.0.1] helo=metis.ext.pengutronix.de) by metis.ext.pengutronix.de with esmtp (Exim 4.92) (envelope-from ) id 1nmVuG-0002Pn-By; Thu, 05 May 2022 09:28:12 +0200 Received: from mail.thorsis.com ([92.198.35.195]) by metis.ext.pengutronix.de with esmtp (Exim 4.92) (envelope-from ) id 1nmVtn-0002PQ-1B for ptxdist@pengutronix.de; Thu, 05 May 2022 09:27:44 +0200 Date: Thu, 5 May 2022 09:27:37 +0200 From: Alexander Dahl To: Andreas Helmcke Message-ID: Mail-Followup-To: Andreas Helmcke , ptxdist@pengutronix.de References: <6c96f889fd74c14b7153d621e46cc1248ddfc0cb.camel@pengutronix.de> <20190923100706.1994-1-b.esser@pengutronix.de> Content-Type: text/plain; charset=utf-8 Content-Disposition: inline Content-Transfer-Encoding: 8bit In-Reply-To: X-Spam-Checker-Version: SpamAssassin 3.4.2 (2018-09-13) on metis.ext.pengutronix.de X-Spam-Level: X-Spam-Status: No, score=-2.6 required=4.0 tests=AWL,BAYES_00,SPF_HELO_NONE, SPF_PASS,T_SCC_BODY_TEXT_LINE autolearn=ham autolearn_force=no version=3.4.2 Subject: Re: [ptxdist] [PATCH v5] libxcrypt: new package X-BeenThere: ptxdist@pengutronix.de X-Mailman-Version: 2.1.29 Precedence: list List-Id: PTXdist Development Mailing List List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Reply-To: ptxdist@pengutronix.de Cc: ptxdist@pengutronix.de Sender: "ptxdist" X-SA-Exim-Connect-IP: 127.0.0.1 X-SA-Exim-Mail-From: ptxdist-bounces@pengutronix.de X-SA-Exim-Scanned: No (on metis.ext.pengutronix.de); SAEximRunCond expanded to false Hello Andreas, Am Wed, May 04, 2022 at 06:58:10PM +0200 schrieb Andreas Helmcke: > Also implement the needed logic to (optionally) replace > the libcrypt from the selected libc with libxcrypt. > > libxcrypt is a modern library for one-way hashing of passwords. > It supports a wide variety of both modern and historical hashing > methods: yescrypt, gost-yescrypt, scrypt, bcrypt, sha512crypt, > sha256crypt, md5crypt, SunMD5, sha1crypt, NT, bsdicrypt, bigcrypt, > and descrypt. It provides the traditional Unix crypt and crypt_r > interfaces, as well as a set of extended interfaces pioneered by > Openwall Linux, crypt_rn, crypt_ra, crypt_gensalt, crypt_gensalt_rn, > and crypt_gensalt_ra. > > libxcrypt is intended to be used by login(1), passwd(1), and other > similar programs; that is, to hash a small number of passwords > during an interactive authentication dialogue with a human. It is > not suitable for use in bulk password-cracking applications, or in > any other situation where speed is more important than careful > handling of sensitive data. However, it is intended to be fast and > lightweight enough for use in servers that must field thousands of > login attempts per minute. > > Signed-off-by: Andreas Helmcke > --- > > v4 -> v5: (by Andreas Helmcke) > - Update libxcrypt 4.4.10 -> 4.4.24 > - Changed download url to official tar, which does not need autoconf > - Changed the config variable names to reflect menu structure > - Corrected two typos > > original work by Björn Esser : You might want to add a "Co-authored-by: …" line to your commit message then to give credit to previous work. Greets Alex > v3 -> v4: > - Update libxcrypt 4.4.9 -> 4.4.10 > > v2 -> v3: > - Added 3 files that also needed minor adaptions and I forgot to add > to the initial patch. > > v1 -> v2: > - Adapt the two remarks pointed out by Dennis Osterland > > > > rules/glibc.in | 4 ++ > rules/libc.in | 7 ++- > rules/libcrypt.in | 38 +++++++++++++++ > rules/libcrypt.make | 16 ++++++ > rules/libxcrypt.in | 114 +++++++++++++++++++++++++++++++++++++++++++ > rules/libxcrypt.make | 95 ++++++++++++++++++++++++++++++++++++ > rules/uclibc.in | 4 ++ > 7 files changed, 274 insertions(+), 4 deletions(-) > create mode 100644 rules/libcrypt.in > create mode 100644 rules/libcrypt.make > create mode 100644 rules/libxcrypt.in > create mode 100644 rules/libxcrypt.make > > diff --git a/rules/glibc.in b/rules/glibc.in > index 16e5e84d1..1d1fa4980 100644 > --- a/rules/glibc.in > +++ b/rules/glibc.in > @@ -79,12 +79,16 @@ config GLIBC_DL > functionality you should probably use libtool instead. It is much > more cross > platform compatible than dlopen, etc. It also supports BeOS. See > related links. > > +if LIBC_CRYPT_NATIVE_CRYPT > + > config GLIBC_CRYPT > bool > prompt "Install libcrypt" > help > The encryption/decryption library > > +endif > + > config GLIBC_UTIL > bool > prompt "Install libutil" > diff --git a/rules/libc.in b/rules/libc.in > index 1614affd9..01fe55af5 100644 > --- a/rules/libc.in > +++ b/rules/libc.in > @@ -57,10 +57,9 @@ config LIBC_DL > select GLIBC_DL if LIBC_GLIBC > select UCLIBC_DL if LIBC_UCLIBC > > -config LIBC_CRYPT > - bool > - select GLIBC_CRYPT if LIBC_GLIBC > - select UCLIBC_CRYPT if LIBC_UCLIBC > +# > +# LIBC_CRYPT is handled by rules/libcrypt.in. > +# > > config LIBC_UTIL > bool > diff --git a/rules/libcrypt.in b/rules/libcrypt.in > new file mode 100644 > index 000000000..117cb72a5 > --- /dev/null > +++ b/rules/libcrypt.in > @@ -0,0 +1,38 @@ > +## SECTION=core > + > +menuconfig LIBC_CRYPT > + bool > + prompt "POSIX crypt implementation " > + select LIBXCRYPT if !LIBC_CRYPT_NATIVE_CRYPT > + select LIBC_CRYPT_INTERNAL_CRYPT if LIBC_CRYPT_NATIVE_CRYPT > + > +if LIBC_CRYPT > + > +choice > + prompt "POSIX crypt implementation " > + default LIBC_CRYPT_NATIVE_CRYPT > + > + config LIBC_CRYPT_NATIVE_CRYPT > + bool > + prompt "libc internal" > + help > + This menu entry selects the basic libcrypt provided > + by the selected libc implementation of the system. > + > + config LIBC_CRYPT_EXTENDED_CRYPT > + bool > + prompt "libxcrypt " > + help > + This menu entry selects the extended libcrypt > + implementation provided by the libxcrypt package. > + > + Please see "System Libraries" for the configuration > + options of libxcrypt. > +endchoice > + > +config LIBC_CRYPT_INTERNAL_CRYPT > + bool > + select GLIBC_CRYPT if LIBC_GLIBC > + select UCLIBC_CRYPT if LIBC_UCLIBC > + > +endif > diff --git a/rules/libcrypt.make b/rules/libcrypt.make > new file mode 100644 > index 000000000..6f1448fe0 > --- /dev/null > +++ b/rules/libcrypt.make > @@ -0,0 +1,16 @@ > +# -*-makefile-*- > +# > +# Copyright (C) 2019 by Bjoern Esser > +# > +# For further information about the PTXdist project and license conditions > +# see the README file. > +# > + > +# > +# We provide this package > +# > +PACKAGES-$(PTXCONF_LIBC_CRYPT) += libcrypt > + > +LIBCRYPT_LICENSE:= ignore > + > +# vim: syntax=make > diff --git a/rules/libxcrypt.in b/rules/libxcrypt.in > new file mode 100644 > index 000000000..281dabde2 > --- /dev/null > +++ b/rules/libxcrypt.in > @@ -0,0 +1,114 @@ > +## SECTION=system_libraries > + > +menuconfig LIBXCRYPT > + bool > + prompt "libxcrypt " > + depends on !LIBC_CRYPT_NATIVE_CRYPT > + help > + Extended crypt library for descrypt, md5crypt, bcrypt, and others. > + > + libxcrypt is a modern library for one-way hashing of passwords. > + It supports a wide variety of both modern and historical hashing > + methods: yescrypt, gost-yescrypt, scrypt, bcrypt, sha512crypt, > + sha256crypt, md5crypt, SunMD5, sha1crypt, NT, bsdicrypt, bigcrypt, > + and descrypt. It provides the traditional Unix crypt and crypt_r > + interfaces, as well as a set of extended interfaces pioneered by > + Openwall Linux, crypt_rn, crypt_ra, crypt_gensalt, > + crypt_gensalt_rn, and crypt_gensalt_ra. > + > + libxcrypt is intended to be used by login(1), passwd(1), and other > + similar programs; that is, to hash a small number of passwords > + during an interactive authentication dialogue with a human. It is > + not suitable for use in bulk password-cracking applications, or in > + any other situation where speed is more important than careful > + handling of sensitive data. However, it is intended to be fast > and > + lightweight enough for use in servers that must field thousands of > + login attempts per minute. > + > +if LIBXCRYPT > + > +config LIBXCRYPT_GLIBC_BINARY_COMPAT > + bool > + prompt "Enable full glibc binary compatibility" > + help > + When enabled, this option includes the interfaces for full binary > + compatibility with glibc. > + > + This setting only affects existing binaries; new programs cannot > + be linked against them. > + > +if LIBXCRYPT_GLIBC_BINARY_COMPAT > + > +config LIBXCRYPT_OBSOLETE_STUBS > + bool > + prompt "Replace obsolete functions with non-functional stubs" > + help > + If enabled, this option replaces the obsolete APIs (fcrypt, > + encrypt{,_r}, and setkey{,_r}) with stubs that set errno to > + ENOSYS and return without performing any real operations. > + > + For security reasons, the encrypt{,r} functions will also > + overwrite their data-block argument with random bits. > + > + The fcrypt function will also always return NULL-pointer. > + > +endif > + > +config LIBXCRYPT_BCRYPT_X > + bool > + prompt "Support for verifying weak bcrypt ($2x$) hashes" > + help > + The alternative prefix "$2x$" provides bug-compatibility with > + crypt_blowfish 1.0.4 and earlier, which incorrectly processed > + characters with the 8th bit set. > + > +config LIBXCRYPT_SHA1CRYPT > + bool > + prompt "sha1crypt ($sha1) hashing method" > + help > + A hash based on HMAC-SHA1. Originally developed for NetBSD. > + > + Enable this for compatibility with passphrases that have been > + hashed on NetBSD. > + > +config LIBXCRYPT_SUNMD5 > + bool > + prompt "SunMD5 ($md5) hashing method" > + help > + A hash based on the MD5 algorithm, with additional cleverness > + to make precomputation difficult. > + > + Enable this for full compatibility with passphrases that have > + been hashed on Solaris. > + > +config LIBXCRYPT_NTHASH > + bool > + prompt "NTHASH ($3$) hashing method" > + help > + The hashing method used for network authentication in some > + versions of the SMB/CIFS protocol. > + > + Available, for cross-compatibility's sake, on FreeBSD. > + > +config LIBXCRYPT_BSDICRYPT > + bool > + prompt "bsdicrypt ($2x$) hashing method" > + help > + A weak extension of traditional DES, which eliminates the > + length limit, increases the salt size, and makes the time > + cost tunable. > + > + It originates with BSDI and is also available on at least > + NetBSD, OpenBSD, FreeBSD, and MacOSX. > + > +config LIBXCRYPT_BIGCRYPT > + bool > + prompt "bigcrypt hashing method" > + help > + A weak extension of traditional DES, available on some > + System V-derived Unixes. All it does is raise the length > + limit from 8 to 128 characters, and it does this in a crude > + way that allows attackers to guess chunks of a long passphrase > + in parallel. > + > +endif > diff --git a/rules/libxcrypt.make b/rules/libxcrypt.make > new file mode 100644 > index 000000000..266e42640 > --- /dev/null > +++ b/rules/libxcrypt.make > @@ -0,0 +1,95 @@ > +# -*-makefile-*- > +# > +# Copyright (C) 2019 by Bjoern Esser > +# > +# For further information about the PTXdist project and license conditions > +# see the README file. > +# > + > +# > +# We provide this package > +# > +PACKAGES-$(PTXCONF_LIBXCRYPT) += libxcrypt > + > +# > +# Paths and names > +# > +LIBXCRYPT_VERSION := 4.4.28 > +LIBXCRYPT_MD5 := 0b873e641ae201e5e7470cf791c0fe16 > +LIBXCRYPT := libxcrypt-$(LIBXCRYPT_VERSION) > +LIBXCRYPT_SUFFIX := tar.xz > +LIBXCRYPT_URL := https://github.com/besser82/libxcrypt/releases/download/v$(LIBXCRYPT_VERSION)/$(LIBXCRYPT).$(LIBXCRYPT_SUFFIX) > +LIBXCRYPT_SOURCE := $(SRCDIR)/$(LIBXCRYPT).$(LIBXCRYPT_SUFFIX) > +LIBXCRYPT_DIR := $(BUILDDIR)/$(LIBXCRYPT) > +LIBXCRYPT_LICENSE := LGPL-2.1-or-later AND BSD-3-Clause AND > BSD-2-Clause AND 0BSD AND public_domain > +LIBXCRYPT_LICENSE_MD5 := > file://LICENSING;md5=3bb6614cf5880cbf1b9dbd9e3d145e2c > + > +# > ---------------------------------------------------------------------------- > +# Prepare > +# > ---------------------------------------------------------------------------- > + > +# > +# options > +# > + > +# Hash methods enabled by default. > +HASH_METHODS := glibc,strong > + > +ifdef PTXCONF_LIBXCRYPT_BCRYPT_X > +HASH_METHODS := $(HASH_METHODS),bcrypt_x > +endif > + > +ifdef PTXCONF_LIBXCRYPT_SHA1CRYPT > +HASH_METHODS := $(HASH_METHODS),sha1crypt > +endif > + > +ifdef PTXCONF_LIBXCRYPT_SUNMD5 > +HASH_METHODS := $(HASH_METHODS),sunmd5 > +endif > + > +ifdef PTXCONF_LIBXCRYPT_NTHASH > +HASH_METHODS := $(HASH_METHODS),nt > +endif > + > +ifdef PTXCONF_LIBXCRYPT_BSDICRYPT > +HASH_METHODS := $(HASH_METHODS),bsdicrypt > +endif > + > +ifdef PTXCONF_LIBXCRYPT_BIGCRYPT > +HASH_METHODS := $(HASH_METHODS),bigcrypt > +endif > + > +# > +# autoconf > +# > +LIBXCRYPT_CONF_TOOL := autoconf > +LIBXCRYPT_CONF_OPT := \ > + $(CROSS_AUTOCONF_USR) \ > + --disable-failure-tokens \ > + --disable-static \ > + --disable-valgrind \ > + --enable-obsolete-api=$(call > ptx/ifdef,PTXCONF_LIBXCRYPT_GLIBC_BINARY_COMPAT,glibc,no) \ > + --enable-obsolete-api-enosys=$(call > ptx/ifdef,PTXCONF_LIBXCRYPT_OBSOLETE_STUBS,yes,no) \ > + --enable-hashes=$(HASH_METHODS) \ > + --enable-xcrypt-compat-files > + > +# > ---------------------------------------------------------------------------- > +# Target-Install > +# > ---------------------------------------------------------------------------- > + > +$(STATEDIR)/libxcrypt.targetinstall: > + @$(call targetinfo) > + > + @$(call install_init, libxcrypt) > + @$(call install_fixup, libxcrypt,PRIORITY,optional) > + @$(call install_fixup, libxcrypt,SECTION,base) > + @$(call install_fixup, libxcrypt,AUTHOR,"Bjoern Esser > ") > + @$(call install_fixup, libxcrypt,DESCRIPTION,Extended crypt library) > + > + @$(call install_lib, libxcrypt, 0, 0, 0644, libcrypt) > + > + @$(call install_finish, libxcrypt) > + > + @$(call touch) > + > +# vim: syntax=make > diff --git a/rules/uclibc.in b/rules/uclibc.in > index 1fa99eba5..ee9cb0f34 100644 > --- a/rules/uclibc.in > +++ b/rules/uclibc.in > @@ -24,12 +24,16 @@ config UCLIBC_C > > Better not turn this option off.. > > +if LIBC_CRYPT_NATIVE_CRYPT > + > config UCLIBC_CRYPT > bool > prompt "Install libcrypt" > help > The encryption/decryption library > > +endif > + > config UCLIBC_DL > bool > prompt "Install libdl" > -- > 2.34.1 >