[ptxdist] [PATCH] libxcrypt: new package

[ptxdist] [PATCH] libxcrypt: new package

[Björn Esser]

From: Björn Esser <bes@pengutronix.de>

Also implement the needed logic to (optionally) replace
the libcrypt from the selected libc with libxcrypt.

libxcrypt is a modern library for one-way hashing of passwords.
It supports a wide variety of both modern and historical hashing
methods: yescrypt, gost-yescrypt, scrypt, bcrypt, sha512crypt,
sha256crypt, md5crypt, SunMD5, sha1crypt, NT, bsdicrypt, bigcrypt,
and descrypt. It provides the traditional Unix crypt and crypt_r
interfaces, as well as a set of extended interfaces pioneered by
Openwall Linux, crypt_rn, crypt_ra, crypt_gensalt, crypt_gensalt_rn,
and crypt_gensalt_ra.

libxcrypt is intended to be used by login(1), passwd(1), and other
similar programs; that is, to hash a small number of passwords
during an interactive authentication dialogue with a human.  It is
not suitable for use in bulk password-cracking applications, or in
any other situation where speed is more important than careful
handling of sensitive data.  However, it is intended to be fast and
lightweight enough for use in servers that must field thousands of
login attempts per minute.

Signed-off-by: Björn Esser <bes@pengutronix.de>
---
 rules/libcrypt.in    |  38 +++++++++++++++
 rules/libcrypt.make  |  16 ++++++
 rules/libxcrypt.in   | 114 +++++++++++++++++++++++++++++++++++++++++++
 rules/libxcrypt.make |  95 ++++++++++++++++++++++++++++++++++++
 4 files changed, 263 insertions(+)
 create mode 100644 rules/libcrypt.in
 create mode 100644 rules/libcrypt.make
 create mode 100644 rules/libxcrypt.in
 create mode 100644 rules/libxcrypt.make

diff --git a/rules/libcrypt.in b/rules/libcrypt.in
new file mode 100644
index 000000000..9620f143b
--- /dev/null
+++ b/rules/libcrypt.in
@@ -0,0 +1,38 @@
+## SECTION=core
+
+menuconfig LIBC_CRYPT
+	bool
+	prompt "POSIX crypt implementation    "
+	select LIBXCRYPT	if !NATIVE_CRYPT && EXTENDED_CRYPT
+	select INTERNAL_CRYPT	if NATIVE_CRYPT && !EXTENDED_CRYPT
+
+if LIBC_CRYPT
+
+choice
+	prompt "POSIX crypt implementation    "
+	default NATIVE_CRYPT
+
+	config NATIVE_CRYPT
+		bool
+		prompt "libc internal"
+		help
+		  This menu entry selects the basic libcrypt provided
+		  by the selected libc implementation of the system.
+
+	config EXTENDED_CRYPT
+		bool
+		prompt "libxcrypt    "
+		help
+		  This menu entry selects the extended libcrypt
+		  implementation provided by the libxcrypt package.
+
+		  Please see "System Libraries" for the configuration
+		  options of libxcrypt.
+endchoice
+
+config INTERNAL_CRYPT
+	bool
+	select GLIBC_CRYPT	if LIBC_GLIBC
+	select UCLIBC_CRYPT	if LIBC_UCLIBC
+
+endif
diff --git a/rules/libcrypt.make b/rules/libcrypt.make
new file mode 100644
index 000000000..0cc526de4
--- /dev/null
+++ b/rules/libcrypt.make
@@ -0,0 +1,16 @@
+# -*-makefile-*-
+#
+# Copyright (C) 2019 by Bjoern Esser <bes@pengutronix.de>
+#
+# For further information about the PTXdist project and license conditions
+# see the README file.
+#
+
+#
+# We provide this package
+#
+PACKAGES-$(PTXCONF_LIBCRYPT) += libcrypt
+
+LIBCRYPT_LICENSE:= ignore
+
+# vim: syntax=make
diff --git a/rules/libxcrypt.in b/rules/libxcrypt.in
new file mode 100644
index 000000000..1db488941
--- /dev/null
+++ b/rules/libxcrypt.in
@@ -0,0 +1,114 @@
+## SECTION=system_libraries
+
+menuconfig LIBXCRYPT
+	bool
+	prompt "libxcrypt                     "
+	depends on !NATIVE_CRYPT
+	help
+	  Extended crypt library for descrypt, md5crypt, bcrypt, and others.
+
+	  libxcrypt is a modern library for one-way hashing of passwords.
+	  It supports a wide variety of both modern and historical hashing
+	  methods: yescrypt, gost-yescrypt, scrypt, bcrypt, sha512crypt,
+	  sha256crypt, md5crypt, SunMD5, sha1crypt, NT, bsdicrypt, bigcrypt,
+	  and descrypt.  It provides the traditional Unix crypt and crypt_r
+	  interfaces, as well as a set of extended interfaces pioneered by
+	  Openwall Linux, crypt_rn, crypt_ra, crypt_gensalt,
+	  crypt_gensalt_rn, and crypt_gensalt_ra.
+
+	  libxcrypt is intended to be used by login(1), passwd(1), and other
+	  similar programs; that is, to hash a small number of passwords
+	  during an interactive authentication dialogue with a human.  It is
+	  not suitable for use in bulk password-cracking applications, or in
+	  any other situation where speed is more important than careful
+	  handling of sensitive data.  However, it is intended to be fast and
+	  lightweight enough for use in servers that must field thousands of
+	  login attempts per minute.
+
+if LIBXCRYPT
+
+config LIBXCRYPT_GLIBC_BINARY_COMPAT
+	bool
+	prompt "Enable full glibc binary compatibility"
+	help
+	  When enabled, this option includes the interfaces for full binary
+	  compatibility with glibc.
+
+	  This setting only affects existing binaries; new programs cannot
+	  be linked against them.
+
+if LIBXCRYPT_GLIBC_BINARY_COMPAT
+
+config LIBXCRYPT_OBSOLETE_STUBS
+	bool
+	prompt "Replace obsolete functions with non-functional stubs"
+	help
+	  If enabled, this option replaces the obsolete APIs (fcrypt,
+	  encrypt{,_r}, and setkey{,_r}) with stubs that set errno to
+	  ENOSYS and return without performing any real operations.
+
+	  For security reasons, the encrypt{,r} functions will also
+	  overwrite their data-block argument with random bits.
+
+	  The fcrypt function will also always return NULL-pointer.
+
+endif
+
+config LIBXCRYPT_BCRYPT_X
+	bool
+	prompt "Support for verifying weak bcrypt ($2x$) hashes"
+	help
+	  The alternative prefix "$2x$" provides bug-compatibility with
+	  crypt_blowfish 1.0.4 and earlier, which incorrectly processed
+	  characters with the 8th bit set.
+
+config LIBXCRYPT_SHA1CRYPT
+	bool
+	prompt "sha1crypt ($sha1) hashing method"
+	help
+	  A hash based on HMAC-SHA1.  Originally developed for NetBSD.
+
+	  Enable this for compatibility with passphrases that have been
+	  hashed on NetBSD.
+
+config LIBXCRYPT_SUNMD5
+	bool
+	prompt "SunMD5 ($md5) hashing method"
+	help
+	  A hash based on the MD5 algorithm, with additional cleverness
+	  to make precomputation difficult.
+
+	  Enable this for full compatibility with passphrases that have
+	  been hashed on Solaris.
+
+config LIBXCRYPT_NTHASH
+	bool
+	prompt "NTHASH ($3$) hashing method"
+	help
+	  The hashing method used for network authentication in some
+	  versions of the SMB/CIFS protocol.
+
+	  Available, for cross-compatibility's sake, on FreeBSD.
+
+config LIBXCRYPT_BSDICRYPT
+	bool
+	prompt "bsdicrypt ($2x$) hashing method"
+	help
+	  A weak extension of traditional DES, which eliminates the
+	  length limit, increases the salt size, and makes the time
+	  cost tunable.
+
+	  It originates with BSDI and is also available on at least
+	  NetBSD, OpenBSD, FreeBSD, and MacOSX.
+
+config LIBXCRYPT_BIGCRYPT
+	bool
+	prompt "bigcrypt hashing method"
+	help
+	  A weak extension of traditional DES, available on some
+	  System V-derived Unixes.  All it does is raise the length
+	  limit from 8 to 128 characters, and it does this in a crude
+	  way that allows attackers to guess chunks of a long passphrase
+	  in parallel.
+
+endif
diff --git a/rules/libxcrypt.make b/rules/libxcrypt.make
new file mode 100644
index 000000000..abfe8152a
--- /dev/null
+++ b/rules/libxcrypt.make
@@ -0,0 +1,95 @@
+# -*-makefile-*-
+#
+# Copyright (C) 2019 by Bjoern Esser <bes@pengutronix.de>
+#
+# For further information about the PTXdist project and license conditions
+# see the README file.
+#
+
+#
+# We provide this package
+#
+PACKAGES-$(PTXCONF_LIBXCRYPT) += libxcrypt
+
+#
+# Paths and names
+#
+LIBXCRYPT_VERSION	:= 4.4.9
+LIBXCRYPT_MD5		:= 7c2d5206dfb6a72ed464eee812a58fcf
+LIBXCRYPT		:= libxcrypt-$(LIBXCRYPT_VERSION)
+LIBXCRYPT_SUFFIX	:= tar.gz
+LIBXCRYPT_URL		:= https://github.com/besser82/libxcrypt/archive/v$(LIBXCRYPT_VERSION).$(LIBXCRYPT_SUFFIX)
+LIBXCRYPT_SOURCE	:= $(SRCDIR)/$(LIBXCRYPT).$(LIBXCRYPT_SUFFIX)
+LIBXCRYPT_DIR		:= $(BUILDDIR)/$(LIBXCRYPT)
+LIBXCRYPT_LICENSE	:= LGPL-2.1-or-later AND BSD-3-Clause AND BSD-2-Clause AND 0BSD AND public_domain
+LIBXCRYPT_LICENSE_MD5	:= file://LICENSING;md5=3bb6614cf5880cbf1b9dbd9e3d145e2c
+
+# ----------------------------------------------------------------------------
+# Prepare
+# ----------------------------------------------------------------------------
+
+#
+# options
+#
+
+# Hash methods enabled by default.
+HASH_METHODS := glibc,strong
+
+ifdef PTXCONF_LIBXCRYPT_BCRYPT_X
+HASH_METHODS := $(HASH_METHODS),bcrypt_x
+endif
+
+ifdef PTXCONF_LIBXCRYPT_SHA1CRYPT
+HASH_METHODS := $(HASH_METHODS),sha1crypt
+endif
+
+ifdef PTXCONF_LIBXCRYPT_SUNMD5
+HASH_METHODS := $(HASH_METHODS),sunmd5
+endif
+
+ifdef PTXCONF_LIBXCRYPT_NTHASH
+HASH_METHODS := $(HASH_METHODS),nt
+endif
+
+ifdef PTXCONF_LIBXCRYPT_BSDICRYPT
+HASH_METHODS := $(HASH_METHODS),bdsicrypt
+endif
+
+ifdef PTXCONF_LIBXCRYPT_BIGCRYPT
+HASH_METHODS := $(HASH_METHODS),bigcrypt
+endif
+
+#
+# autoconf
+#
+LIBXCRYPT_CONF_TOOL	:= autoconf
+LIBXCRYPT_CONF_OPT	:= \
+	$(CROSS_AUTOCONF_USR) \
+	--disable-failure-tokens \
+	--disable-static \
+	--disable-valgrind \
+	--enable-obsolete-api=$(call ptx/ifdef,PTXCONF_LIBXCRYPT_GLIBC_BINARY_COMPAT,glibc,no) \
+	--enable-obsolete-api-enosys=$(call ptx/ifdef,PTXCONF_LIBXCRYPT_OBSOLETE_STUBS,yes,no) \
+	--enable-hashes=$(HASH_METHODS) \
+	--enable-xcrypt-compat-files
+
+# ----------------------------------------------------------------------------
+# Target-Install
+# ----------------------------------------------------------------------------
+
+$(STATEDIR)/libxcrypt.targetinstall:
+	@$(call targetinfo)
+
+	@$(call install_init, libxcrypt)
+	@$(call install_fixup, libxcrypt,PRIORITY,optional)
+	@$(call install_fixup, libxcrypt,SECTION,base)
+	@$(call install_fixup, libxcrypt,AUTHOR,"Bjoern Esser <bes@pengutronix.de>")
+	@$(call install_fixup, libxcrypt,DESCRIPTION,Extended crypt library for descrypt, md5crypt, bcrypt, and others.)
+
+	@$(call install_lib, libxcrypt, 0, 0, 0644, libcrypt)
+
+	@$(call install_finish, libxcrypt)
+
+	@$(call touch)
+
+# vim: syntax=make
-- 
2.23.0


_______________________________________________
ptxdist mailing list
ptxdist@pengutronix.de

Re: [ptxdist] [PATCH] libxcrypt: new package

[Denis OSTERLAND]

Hi,

Am Montag, den 16.09.2019, 14:57 +0200 schrieb Björn Esser:
> From: Björn Esser <bes@pengutronix.de>
> 
> Also implement the needed logic to (optionally) replace
> the libcrypt from the selected libc with libxcrypt.
> 
> libxcrypt is a modern library for one-way hashing of passwords.
> It supports a wide variety of both modern and historical hashing
> methods: yescrypt, gost-yescrypt, scrypt, bcrypt, sha512crypt,
> sha256crypt, md5crypt, SunMD5, sha1crypt, NT, bsdicrypt, bigcrypt,
> and descrypt. It provides the traditional Unix crypt and crypt_r
> interfaces, as well as a set of extended interfaces pioneered by
> Openwall Linux, crypt_rn, crypt_ra, crypt_gensalt, crypt_gensalt_rn,
> and crypt_gensalt_ra.
> 
> libxcrypt is intended to be used by login(1), passwd(1), and other
> similar programs; that is, to hash a small number of passwords
> during an interactive authentication dialogue with a human.  It is
> not suitable for use in bulk password-cracking applications, or in
> any other situation where speed is more important than careful
> handling of sensitive data.  However, it is intended to be fast and
> lightweight enough for use in servers that must field thousands of
> login attempts per minute.
> 
> Signed-off-by: Björn Esser <bes@pengutronix.de>
> ---
>  rules/libcrypt.in    |  38 +++++++++++++++
>  rules/libcrypt.make  |  16 ++++++
>  rules/libxcrypt.in   | 114 +++++++++++++++++++++++++++++++++++++++++++
>  rules/libxcrypt.make |  95 ++++++++++++++++++++++++++++++++++++
>  4 files changed, 263 insertions(+)
>  create mode 100644 rules/libcrypt.in
>  create mode 100644 rules/libcrypt.make
>  create mode 100644 rules/libxcrypt.in
>  create mode 100644 rules/libxcrypt.make
> 
> diff --git a/rules/libcrypt.in b/rules/libcrypt.in
> new file mode 100644
> index 000000000..9620f143b
> --- /dev/null
> +++ b/rules/libcrypt.in
> @@ -0,0 +1,38 @@
> +## SECTION=core
> +
> +menuconfig LIBC_CRYPT
> +	bool
> +	prompt "POSIX crypt implementation    "
> +	select LIBXCRYPT	if !NATIVE_CRYPT && EXTENDED_CRYPT
> +	select INTERNAL_CRYPT	if NATIVE_CRYPT && !EXTENDED_CRYPT
Could be simplified to:
	select LIBXCRYPT	if EXTENDED_CRYPT
	select INTERNAL_CRYPT	if NATIVE_CRYPT
Because the choice statement ensures that the other one is not selected.

> +
> +if LIBC_CRYPT
> +
> +choice
> +	prompt "POSIX crypt implementation    "
> +	default NATIVE_CRYPT
> +
> +	config NATIVE_CRYPT
> +		bool
> +		prompt "libc internal"
> +		help
> +		  This menu entry selects the basic libcrypt provided
> +		  by the selected libc implementation of the system.
> +
> +	config EXTENDED_CRYPT
> +		bool
> +		prompt "libxcrypt    "
> +		help
> +		  This menu entry selects the extended libcrypt
> +		  implementation provided by the libxcrypt package.
> +
> +		  Please see "System Libraries" for the configuration
> +		  options of libxcrypt.
> +endchoice
> +
> +config INTERNAL_CRYPT
> +	bool
> +	select GLIBC_CRYPT	if LIBC_GLIBC
> +	select UCLIBC_CRYPT	if LIBC_UCLIBC
> +
> +endif
> diff --git a/rules/libcrypt.make b/rules/libcrypt.make
> new file mode 100644
> index 000000000..0cc526de4
> --- /dev/null
> +++ b/rules/libcrypt.make
> @@ -0,0 +1,16 @@
> +# -*-makefile-*-
> +#
> +# Copyright (C) 2019 by Bjoern Esser <bes@pengutronix.de>
> +#
> +# For further information about the PTXdist project and license conditions
> +# see the README file.
> +#
> +
> +#
> +# We provide this package
> +#
> +PACKAGES-$(PTXCONF_LIBCRYPT) += libcrypt
> +
> +LIBCRYPT_LICENSE:= ignore
> +
> +# vim: syntax=make
> diff --git a/rules/libxcrypt.in b/rules/libxcrypt.in
> new file mode 100644
> index 000000000..1db488941
> --- /dev/null
> +++ b/rules/libxcrypt.in
> @@ -0,0 +1,114 @@
> +## SECTION=system_libraries
> +
> +menuconfig LIBXCRYPT
> +	bool
> +	prompt "libxcrypt                     "
> +	depends on !NATIVE_CRYPT
> +	help
> +	  Extended crypt library for descrypt, md5crypt, bcrypt, and others.
> +
> +	  libxcrypt is a modern library for one-way hashing of passwords.
> +	  It supports a wide variety of both modern and historical hashing
> +	  methods: yescrypt, gost-yescrypt, scrypt, bcrypt, sha512crypt,
> +	  sha256crypt, md5crypt, SunMD5, sha1crypt, NT, bsdicrypt, bigcrypt,
> +	  and descrypt.  It provides the traditional Unix crypt and crypt_r
> +	  interfaces, as well as a set of extended interfaces pioneered by
> +	  Openwall Linux, crypt_rn, crypt_ra, crypt_gensalt,
> +	  crypt_gensalt_rn, and crypt_gensalt_ra.
> +
> +	  libxcrypt is intended to be used by login(1), passwd(1), and other
> +	  similar programs; that is, to hash a small number of passwords
> +	  during an interactive authentication dialogue with a human.  It is
> +	  not suitable for use in bulk password-cracking applications, or in
> +	  any other situation where speed is more important than careful
> +	  handling of sensitive data.  However, it is intended to be fast and
> +	  lightweight enough for use in servers that must field thousands of
> +	  login attempts per minute.
> +
> +if LIBXCRYPT
> +
> +config LIBXCRYPT_GLIBC_BINARY_COMPAT
> +	bool
> +	prompt "Enable full glibc binary compatibility"
> +	help
> +	  When enabled, this option includes the interfaces for full binary
> +	  compatibility with glibc.
> +
> +	  This setting only affects existing binaries; new programs cannot
> +	  be linked against them.
> +
> +if LIBXCRYPT_GLIBC_BINARY_COMPAT
> +
> +config LIBXCRYPT_OBSOLETE_STUBS
> +	bool
> +	prompt "Replace obsolete functions with non-functional stubs"
> +	help
> +	  If enabled, this option replaces the obsolete APIs (fcrypt,
> +	  encrypt{,_r}, and setkey{,_r}) with stubs that set errno to
> +	  ENOSYS and return without performing any real operations.
> +
> +	  For security reasons, the encrypt{,r} functions will also
> +	  overwrite their data-block argument with random bits.
> +
> +	  The fcrypt function will also always return NULL-pointer.
> +
> +endif
> +
> +config LIBXCRYPT_BCRYPT_X
> +	bool
> +	prompt "Support for verifying weak bcrypt ($2x$) hashes"
> +	help
> +	  The alternative prefix "$2x$" provides bug-compatibility with
> +	  crypt_blowfish 1.0.4 and earlier, which incorrectly processed
> +	  characters with the 8th bit set.
> +
> +config LIBXCRYPT_SHA1CRYPT
> +	bool
> +	prompt "sha1crypt ($sha1) hashing method"
> +	help
> +	  A hash based on HMAC-SHA1.  Originally developed for NetBSD.
> +
> +	  Enable this for compatibility with passphrases that have been
> +	  hashed on NetBSD.
> +
> +config LIBXCRYPT_SUNMD5
> +	bool
> +	prompt "SunMD5 ($md5) hashing method"
> +	help
> +	  A hash based on the MD5 algorithm, with additional cleverness
> +	  to make precomputation difficult.
> +
> +	  Enable this for full compatibility with passphrases that have
> +	  been hashed on Solaris.
> +
> +config LIBXCRYPT_NTHASH
> +	bool
> +	prompt "NTHASH ($3$) hashing method"
> +	help
> +	  The hashing method used for network authentication in some
> +	  versions of the SMB/CIFS protocol.
> +
> +	  Available, for cross-compatibility's sake, on FreeBSD.
> +
> +config LIBXCRYPT_BSDICRYPT
> +	bool
> +	prompt "bsdicrypt ($2x$) hashing method"
> +	help
> +	  A weak extension of traditional DES, which eliminates the
> +	  length limit, increases the salt size, and makes the time
> +	  cost tunable.
> +
> +	  It originates with BSDI and is also available on at least
> +	  NetBSD, OpenBSD, FreeBSD, and MacOSX.
> +
> +config LIBXCRYPT_BIGCRYPT
> +	bool
> +	prompt "bigcrypt hashing method"
> +	help
> +	  A weak extension of traditional DES, available on some
> +	  System V-derived Unixes.  All it does is raise the length
> +	  limit from 8 to 128 characters, and it does this in a crude
> +	  way that allows attackers to guess chunks of a long passphrase
> +	  in parallel.
> +
> +endif
> diff --git a/rules/libxcrypt.make b/rules/libxcrypt.make
> new file mode 100644
> index 000000000..abfe8152a
> --- /dev/null
> +++ b/rules/libxcrypt.make
> @@ -0,0 +1,95 @@
> +# -*-makefile-*-
> +#
> +# Copyright (C) 2019 by Bjoern Esser <bes@pengutronix.de>
> +#
> +# For further information about the PTXdist project and license conditions
> +# see the README file.
> +#
> +
> +#
> +# We provide this package
> +#
> +PACKAGES-$(PTXCONF_LIBXCRYPT) += libxcrypt
> +
> +#
> +# Paths and names
> +#
> +LIBXCRYPT_VERSION	:= 4.4.9
> +LIBXCRYPT_MD5		:= 7c2d5206dfb6a72ed464eee812a58fcf
> +LIBXCRYPT		:= libxcrypt-$(LIBXCRYPT_VERSION)
> +LIBXCRYPT_SUFFIX	:= tar.gz
> +LIBXCRYPT_URL		:= https://github.com/besser82/libxcrypt/archive/v$(LIBXCRYPT_VERSION).$(LIBXCRYPT_SUFFIX)
> +LIBXCRYPT_SOURCE	:= $(SRCDIR)/$(LIBXCRYPT).$(LIBXCRYPT_SUFFIX)
> +LIBXCRYPT_DIR		:= $(BUILDDIR)/$(LIBXCRYPT)
> +LIBXCRYPT_LICENSE	:= LGPL-2.1-or-later AND BSD-3-Clause AND BSD-2-Clause AND 0BSD AND public_domain
> +LIBXCRYPT_LICENSE_MD5	:= file://LICENSING;md5=3bb6614cf5880cbf1b9dbd9e3d145e2c
> +
> +# ----------------------------------------------------------------------------
> +# Prepare
> +# ----------------------------------------------------------------------------
> +
> +#
> +# options
> +#
> +
> +# Hash methods enabled by default.
> +HASH_METHODS := glibc,strong
> +
> +ifdef PTXCONF_LIBXCRYPT_BCRYPT_X
> +HASH_METHODS := $(HASH_METHODS),bcrypt_x
> +endif
> +
> +ifdef PTXCONF_LIBXCRYPT_SHA1CRYPT
> +HASH_METHODS := $(HASH_METHODS),sha1crypt
> +endif
> +
> +ifdef PTXCONF_LIBXCRYPT_SUNMD5
> +HASH_METHODS := $(HASH_METHODS),sunmd5
> +endif
> +
> +ifdef PTXCONF_LIBXCRYPT_NTHASH
> +HASH_METHODS := $(HASH_METHODS),nt
> +endif
> +
> +ifdef PTXCONF_LIBXCRYPT_BSDICRYPT
> +HASH_METHODS := $(HASH_METHODS),bdsicrypt
> +endif
> +
> +ifdef PTXCONF_LIBXCRYPT_BIGCRYPT
> +HASH_METHODS := $(HASH_METHODS),bigcrypt
> +endif
> +
> +#
> +# autoconf
> +#
> +LIBXCRYPT_CONF_TOOL	:= autoconf
> +LIBXCRYPT_CONF_OPT	:= \
> +	$(CROSS_AUTOCONF_USR) \
> +	--disable-failure-tokens \
> +	--disable-static \
> +	--disable-valgrind \
> +	--enable-obsolete-api=$(call ptx/ifdef,PTXCONF_LIBXCRYPT_GLIBC_BINARY_COMPAT,glibc,no) \
> +	--enable-obsolete-api-enosys=$(call ptx/ifdef,PTXCONF_LIBXCRYPT_OBSOLETE_STUBS,yes,no) \
> +	--enable-hashes=$(HASH_METHODS) \
> +	--enable-xcrypt-compat-files
> +
> +# ----------------------------------------------------------------------------
> +# Target-Install
> +# ----------------------------------------------------------------------------
> +
> +$(STATEDIR)/libxcrypt.targetinstall:
> +	@$(call targetinfo)
> +
> +	@$(call install_init, libxcrypt)
> +	@$(call install_fixup, libxcrypt,PRIORITY,optional)
> +	@$(call install_fixup, libxcrypt,SECTION,base)
> +	@$(call install_fixup, libxcrypt,AUTHOR,"Bjoern Esser <bes@pengutronix.de>")
> +	@$(call install_fixup, libxcrypt,DESCRIPTION,Extended crypt library for descrypt, md5crypt, bcrypt, and others.)
Does this work as intended?
I would expect that only "Extended crypt library for descrypt" is written to the pkg,
because of the ','.

> +
> +	@$(call install_lib, libxcrypt, 0, 0, 0644, libcrypt)
> +
> +	@$(call install_finish, libxcrypt)
> +
> +	@$(call touch)
> +
> +# vim: syntax=make

Regards Denis


Diehl Connectivity Solutions GmbH
Geschäftsführung: Horst Leonberger
Sitz der Gesellschaft: Nürnberg - Registergericht: Amtsgericht
Nürnberg: HRB 32315
___________________________________________________________________________________________________

Der Inhalt der vorstehenden E-Mail ist nicht rechtlich bindend. Diese E-Mail enthaelt vertrauliche und/oder rechtlich geschuetzte Informationen.
Informieren Sie uns bitte, wenn Sie diese E-Mail faelschlicherweise erhalten haben. Bitte loeschen Sie in diesem Fall die Nachricht.
Jede unerlaubte Form der Reproduktion, Bekanntgabe, Aenderung, Verteilung und/oder Publikation dieser E-Mail ist strengstens untersagt.
- Informationen zum Datenschutz, insbesondere zu Ihren Rechten, erhalten Sie unter https://www.diehl.com/group/de/transparenz-und-informationspflichten/

The contents of the above mentioned e-mail is not legally binding. This e-mail contains confidential and/or legally protected information. Please inform us if you have received this e-mail by
mistake and delete it in such a case. Each unauthorized reproduction, disclosure, alteration, distribution and/or publication of this e-mail is strictly prohibited. 
- For general information on data protection and your respective rights please visit https://www.diehl.com/group/en/transparency-and-information-obligations/
_______________________________________________
ptxdist mailing list
ptxdist@pengutronix.de

[ptxdist] [PATCH v2] libxcrypt: new package

[Björn Esser]

From: Björn Esser <bes@pengutronix.de>

Also implement the needed logic to (optionally) replace
the libcrypt from the selected libc with libxcrypt.

libxcrypt is a modern library for one-way hashing of passwords.
It supports a wide variety of both modern and historical hashing
methods: yescrypt, gost-yescrypt, scrypt, bcrypt, sha512crypt,
sha256crypt, md5crypt, SunMD5, sha1crypt, NT, bsdicrypt, bigcrypt,
and descrypt. It provides the traditional Unix crypt and crypt_r
interfaces, as well as a set of extended interfaces pioneered by
Openwall Linux, crypt_rn, crypt_ra, crypt_gensalt, crypt_gensalt_rn,
and crypt_gensalt_ra.

libxcrypt is intended to be used by login(1), passwd(1), and other
similar programs; that is, to hash a small number of passwords
during an interactive authentication dialogue with a human.  It is
not suitable for use in bulk password-cracking applications, or in
any other situation where speed is more important than careful
handling of sensitive data.  However, it is intended to be fast and
lightweight enough for use in servers that must field thousands of
login attempts per minute.

Signed-off-by: Björn Esser <bes@pengutronix.de>
---
 rules/libcrypt.in    |  38 +++++++++++++++
 rules/libcrypt.make  |  16 ++++++
 rules/libxcrypt.in   | 114 +++++++++++++++++++++++++++++++++++++++++++
 rules/libxcrypt.make |  96 ++++++++++++++++++++++++++++++++++++
 4 files changed, 264 insertions(+)
 create mode 100644 rules/libcrypt.in
 create mode 100644 rules/libcrypt.make
 create mode 100644 rules/libxcrypt.in
 create mode 100644 rules/libxcrypt.make

diff --git a/rules/libcrypt.in b/rules/libcrypt.in
new file mode 100644
index 000000000..be9642da0
--- /dev/null
+++ b/rules/libcrypt.in
@@ -0,0 +1,38 @@
+## SECTION=core
+
+menuconfig LIBC_CRYPT
+	bool
+	prompt "POSIX crypt implementation    "
+	select LIBXCRYPT	if !NATIVE_CRYPT
+	select INTERNAL_CRYPT	if NATIVE_CRYPT
+
+if LIBC_CRYPT
+
+choice
+	prompt "POSIX crypt implementation    "
+	default NATIVE_CRYPT
+
+	config NATIVE_CRYPT
+		bool
+		prompt "libc internal"
+		help
+		  This menu entry selects the basic libcrypt provided
+		  by the selected libc implementation of the system.
+
+	config EXTENDED_CRYPT
+		bool
+		prompt "libxcrypt    "
+		help
+		  This menu entry selects the extended libcrypt
+		  implementation provided by the libxcrypt package.
+
+		  Please see "System Libraries" for the configuration
+		  options of libxcrypt.
+endchoice
+
+config INTERNAL_CRYPT
+	bool
+	select GLIBC_CRYPT	if LIBC_GLIBC
+	select UCLIBC_CRYPT	if LIBC_UCLIBC
+
+endif
diff --git a/rules/libcrypt.make b/rules/libcrypt.make
new file mode 100644
index 000000000..0cc526de4
--- /dev/null
+++ b/rules/libcrypt.make
@@ -0,0 +1,16 @@
+# -*-makefile-*-
+#
+# Copyright (C) 2019 by Bjoern Esser <bes@pengutronix.de>
+#
+# For further information about the PTXdist project and license conditions
+# see the README file.
+#
+
+#
+# We provide this package
+#
+PACKAGES-$(PTXCONF_LIBCRYPT) += libcrypt
+
+LIBCRYPT_LICENSE:= ignore
+
+# vim: syntax=make
diff --git a/rules/libxcrypt.in b/rules/libxcrypt.in
new file mode 100644
index 000000000..1db488941
--- /dev/null
+++ b/rules/libxcrypt.in
@@ -0,0 +1,114 @@
+## SECTION=system_libraries
+
+menuconfig LIBXCRYPT
+	bool
+	prompt "libxcrypt                     "
+	depends on !NATIVE_CRYPT
+	help
+	  Extended crypt library for descrypt, md5crypt, bcrypt, and others.
+
+	  libxcrypt is a modern library for one-way hashing of passwords.
+	  It supports a wide variety of both modern and historical hashing
+	  methods: yescrypt, gost-yescrypt, scrypt, bcrypt, sha512crypt,
+	  sha256crypt, md5crypt, SunMD5, sha1crypt, NT, bsdicrypt, bigcrypt,
+	  and descrypt.  It provides the traditional Unix crypt and crypt_r
+	  interfaces, as well as a set of extended interfaces pioneered by
+	  Openwall Linux, crypt_rn, crypt_ra, crypt_gensalt,
+	  crypt_gensalt_rn, and crypt_gensalt_ra.
+
+	  libxcrypt is intended to be used by login(1), passwd(1), and other
+	  similar programs; that is, to hash a small number of passwords
+	  during an interactive authentication dialogue with a human.  It is
+	  not suitable for use in bulk password-cracking applications, or in
+	  any other situation where speed is more important than careful
+	  handling of sensitive data.  However, it is intended to be fast and
+	  lightweight enough for use in servers that must field thousands of
+	  login attempts per minute.
+
+if LIBXCRYPT
+
+config LIBXCRYPT_GLIBC_BINARY_COMPAT
+	bool
+	prompt "Enable full glibc binary compatibility"
+	help
+	  When enabled, this option includes the interfaces for full binary
+	  compatibility with glibc.
+
+	  This setting only affects existing binaries; new programs cannot
+	  be linked against them.
+
+if LIBXCRYPT_GLIBC_BINARY_COMPAT
+
+config LIBXCRYPT_OBSOLETE_STUBS
+	bool
+	prompt "Replace obsolete functions with non-functional stubs"
+	help
+	  If enabled, this option replaces the obsolete APIs (fcrypt,
+	  encrypt{,_r}, and setkey{,_r}) with stubs that set errno to
+	  ENOSYS and return without performing any real operations.
+
+	  For security reasons, the encrypt{,r} functions will also
+	  overwrite their data-block argument with random bits.
+
+	  The fcrypt function will also always return NULL-pointer.
+
+endif
+
+config LIBXCRYPT_BCRYPT_X
+	bool
+	prompt "Support for verifying weak bcrypt ($2x$) hashes"
+	help
+	  The alternative prefix "$2x$" provides bug-compatibility with
+	  crypt_blowfish 1.0.4 and earlier, which incorrectly processed
+	  characters with the 8th bit set.
+
+config LIBXCRYPT_SHA1CRYPT
+	bool
+	prompt "sha1crypt ($sha1) hashing method"
+	help
+	  A hash based on HMAC-SHA1.  Originally developed for NetBSD.
+
+	  Enable this for compatibility with passphrases that have been
+	  hashed on NetBSD.
+
+config LIBXCRYPT_SUNMD5
+	bool
+	prompt "SunMD5 ($md5) hashing method"
+	help
+	  A hash based on the MD5 algorithm, with additional cleverness
+	  to make precomputation difficult.
+
+	  Enable this for full compatibility with passphrases that have
+	  been hashed on Solaris.
+
+config LIBXCRYPT_NTHASH
+	bool
+	prompt "NTHASH ($3$) hashing method"
+	help
+	  The hashing method used for network authentication in some
+	  versions of the SMB/CIFS protocol.
+
+	  Available, for cross-compatibility's sake, on FreeBSD.
+
+config LIBXCRYPT_BSDICRYPT
+	bool
+	prompt "bsdicrypt ($2x$) hashing method"
+	help
+	  A weak extension of traditional DES, which eliminates the
+	  length limit, increases the salt size, and makes the time
+	  cost tunable.
+
+	  It originates with BSDI and is also available on at least
+	  NetBSD, OpenBSD, FreeBSD, and MacOSX.
+
+config LIBXCRYPT_BIGCRYPT
+	bool
+	prompt "bigcrypt hashing method"
+	help
+	  A weak extension of traditional DES, available on some
+	  System V-derived Unixes.  All it does is raise the length
+	  limit from 8 to 128 characters, and it does this in a crude
+	  way that allows attackers to guess chunks of a long passphrase
+	  in parallel.
+
+endif
diff --git a/rules/libxcrypt.make b/rules/libxcrypt.make
new file mode 100644
index 000000000..df5d25b1d
--- /dev/null
+++ b/rules/libxcrypt.make
@@ -0,0 +1,96 @@
+# -*-makefile-*-
+#
+# Copyright (C) 2019 by Bjoern Esser <bes@pengutronix.de>
+#
+# For further information about the PTXdist project and license conditions
+# see the README file.
+#
+
+#
+# We provide this package
+#
+PACKAGES-$(PTXCONF_LIBXCRYPT) += libxcrypt
+
+#
+# Paths and names
+#
+LIBXCRYPT_VERSION	:= 4.4.9
+LIBXCRYPT_MD5		:= 7c2d5206dfb6a72ed464eee812a58fcf
+LIBXCRYPT		:= libxcrypt-$(LIBXCRYPT_VERSION)
+LIBXCRYPT_SUFFIX	:= tar.gz
+LIBXCRYPT_URL		:= https://github.com/besser82/libxcrypt/archive/v$(LIBXCRYPT_VERSION).$(LIBXCRYPT_SUFFIX)
+LIBXCRYPT_SOURCE	:= $(SRCDIR)/$(LIBXCRYPT).$(LIBXCRYPT_SUFFIX)
+LIBXCRYPT_DIR		:= $(BUILDDIR)/$(LIBXCRYPT)
+LIBXCRYPT_LICENSE	:= LGPL-2.1-or-later AND BSD-3-Clause AND BSD-2-Clause AND 0BSD AND public_domain
+LIBXCRYPT_LICENSE_MD5	:= file://LICENSING;md5=3bb6614cf5880cbf1b9dbd9e3d145e2c
+
+# ----------------------------------------------------------------------------
+# Prepare
+# ----------------------------------------------------------------------------
+
+#
+# options
+#
+
+# Hash methods enabled by default.
+HASH_METHODS := glibc,strong
+
+ifdef PTXCONF_LIBXCRYPT_BCRYPT_X
+HASH_METHODS := $(HASH_METHODS),bcrypt_x
+endif
+
+ifdef PTXCONF_LIBXCRYPT_SHA1CRYPT
+HASH_METHODS := $(HASH_METHODS),sha1crypt
+endif
+
+ifdef PTXCONF_LIBXCRYPT_SUNMD5
+HASH_METHODS := $(HASH_METHODS),sunmd5
+endif
+
+ifdef PTXCONF_LIBXCRYPT_NTHASH
+HASH_METHODS := $(HASH_METHODS),nt
+endif
+
+ifdef PTXCONF_LIBXCRYPT_BSDICRYPT
+HASH_METHODS := $(HASH_METHODS),bdsicrypt
+endif
+
+ifdef PTXCONF_LIBXCRYPT_BIGCRYPT
+HASH_METHODS := $(HASH_METHODS),bigcrypt
+endif
+
+#
+# autoconf
+#
+LIBXCRYPT_CONF_TOOL	:= autoconf
+LIBXCRYPT_CONF_OPT	:= \
+	$(CROSS_AUTOCONF_USR) \
+	--disable-failure-tokens \
+	--disable-static \
+	--disable-valgrind \
+	--enable-obsolete-api=$(call ptx/ifdef,PTXCONF_LIBXCRYPT_GLIBC_BINARY_COMPAT,glibc,no) \
+	--enable-obsolete-api-enosys=$(call ptx/ifdef,PTXCONF_LIBXCRYPT_OBSOLETE_STUBS,yes,no) \
+	--enable-hashes=$(HASH_METHODS) \
+	--enable-xcrypt-compat-files
+
+# ----------------------------------------------------------------------------
+# Target-Install
+# ----------------------------------------------------------------------------
+
+$(STATEDIR)/libxcrypt.targetinstall:
+	@$(call targetinfo)
+
+	@$(call install_init, libxcrypt)
+	@$(call install_fixup, libxcrypt,PRIORITY,optional)
+	@$(call install_fixup, libxcrypt,SECTION,base)
+	@$(call install_fixup, libxcrypt,AUTHOR,"Bjoern Esser <bes@pengutronix.de>")
+	@$(call install_fixup, libxcrypt,DESCRIPTION,Extended crypt library for descrypt$(comma) \
+						     md5crypt$(comma) bcrypt$(comma) and others.)
+
+	@$(call install_lib, libxcrypt, 0, 0, 0644, libcrypt)
+
+	@$(call install_finish, libxcrypt)
+
+	@$(call touch)
+
+# vim: syntax=make
-- 
2.23.0


_______________________________________________
ptxdist mailing list
ptxdist@pengutronix.de

[ptxdist] [PATCH v3] libxcrypt: new package

[Björn Esser]

From: Björn Esser <bes@pengutronix.de>

Also implement the needed logic to (optionally) replace
the libcrypt from the selected libc with libxcrypt.

libxcrypt is a modern library for one-way hashing of passwords.
It supports a wide variety of both modern and historical hashing
methods: yescrypt, gost-yescrypt, scrypt, bcrypt, sha512crypt,
sha256crypt, md5crypt, SunMD5, sha1crypt, NT, bsdicrypt, bigcrypt,
and descrypt. It provides the traditional Unix crypt and crypt_r
interfaces, as well as a set of extended interfaces pioneered by
Openwall Linux, crypt_rn, crypt_ra, crypt_gensalt, crypt_gensalt_rn,
and crypt_gensalt_ra.

libxcrypt is intended to be used by login(1), passwd(1), and other
similar programs; that is, to hash a small number of passwords
during an interactive authentication dialogue with a human.  It is
not suitable for use in bulk password-cracking applications, or in
any other situation where speed is more important than careful
handling of sensitive data.  However, it is intended to be fast and
lightweight enough for use in servers that must field thousands of
login attempts per minute.

Signed-off-by: Björn Esser <bes@pengutronix.de>
---
 rules/glibc.in       |   4 ++
 rules/libc.in        |   7 ++-
 rules/libcrypt.in    |  38 +++++++++++++++
 rules/libcrypt.make  |  16 ++++++
 rules/libxcrypt.in   | 114 +++++++++++++++++++++++++++++++++++++++++++
 rules/libxcrypt.make |  96 ++++++++++++++++++++++++++++++++++++
 rules/uclibc.in      |   4 ++
 7 files changed, 275 insertions(+), 4 deletions(-)
 create mode 100644 rules/libcrypt.in
 create mode 100644 rules/libcrypt.make
 create mode 100644 rules/libxcrypt.in
 create mode 100644 rules/libxcrypt.make

diff --git a/rules/glibc.in b/rules/glibc.in
index 16e5e84d1..0883e0543 100644
--- a/rules/glibc.in
+++ b/rules/glibc.in
@@ -79,12 +79,16 @@ config GLIBC_DL
 	  functionality you should probably use libtool instead. It is much more cross
 	  platform compatible than dlopen, etc. It also supports BeOS. See related links.
 
+if NATIVE_CRYPT
+
 config GLIBC_CRYPT
 	bool
 	prompt "Install libcrypt"
 	help
 	  The encryption/decryption library
 
+endif
+
 config GLIBC_UTIL
 	bool
 	prompt "Install libutil"
diff --git a/rules/libc.in b/rules/libc.in
index b4aa3b9f2..60ceecbe6 100644
--- a/rules/libc.in
+++ b/rules/libc.in
@@ -56,10 +56,9 @@ config LIBC_DL
 	select GLIBC_DL			if LIBC_GLIBC
 	select UCLIBC_DL		if LIBC_UCLIBC
 
-config LIBC_CRYPT
-	bool
-	select GLIBC_CRYPT		if LIBC_GLIBC
-	select UCLIBC_CRYPT		if LIBC_UCLIBC
+#
+# LIBC_CRYPT is handled by rules/libcrypt.in.
+#
 
 config LIBC_UTIL
 	bool
diff --git a/rules/libcrypt.in b/rules/libcrypt.in
new file mode 100644
index 000000000..be9642da0
--- /dev/null
+++ b/rules/libcrypt.in
@@ -0,0 +1,38 @@
+## SECTION=core
+
+menuconfig LIBC_CRYPT
+	bool
+	prompt "POSIX crypt implementation    "
+	select LIBXCRYPT	if !NATIVE_CRYPT
+	select INTERNAL_CRYPT	if NATIVE_CRYPT
+
+if LIBC_CRYPT
+
+choice
+	prompt "POSIX crypt implementation    "
+	default NATIVE_CRYPT
+
+	config NATIVE_CRYPT
+		bool
+		prompt "libc internal"
+		help
+		  This menu entry selects the basic libcrypt provided
+		  by the selected libc implementation of the system.
+
+	config EXTENDED_CRYPT
+		bool
+		prompt "libxcrypt    "
+		help
+		  This menu entry selects the extended libcrypt
+		  implementation provided by the libxcrypt package.
+
+		  Please see "System Libraries" for the configuration
+		  options of libxcrypt.
+endchoice
+
+config INTERNAL_CRYPT
+	bool
+	select GLIBC_CRYPT	if LIBC_GLIBC
+	select UCLIBC_CRYPT	if LIBC_UCLIBC
+
+endif
diff --git a/rules/libcrypt.make b/rules/libcrypt.make
new file mode 100644
index 000000000..0cc526de4
--- /dev/null
+++ b/rules/libcrypt.make
@@ -0,0 +1,16 @@
+# -*-makefile-*-
+#
+# Copyright (C) 2019 by Bjoern Esser <bes@pengutronix.de>
+#
+# For further information about the PTXdist project and license conditions
+# see the README file.
+#
+
+#
+# We provide this package
+#
+PACKAGES-$(PTXCONF_LIBCRYPT) += libcrypt
+
+LIBCRYPT_LICENSE:= ignore
+
+# vim: syntax=make
diff --git a/rules/libxcrypt.in b/rules/libxcrypt.in
new file mode 100644
index 000000000..1db488941
--- /dev/null
+++ b/rules/libxcrypt.in
@@ -0,0 +1,114 @@
+## SECTION=system_libraries
+
+menuconfig LIBXCRYPT
+	bool
+	prompt "libxcrypt                     "
+	depends on !NATIVE_CRYPT
+	help
+	  Extended crypt library for descrypt, md5crypt, bcrypt, and others.
+
+	  libxcrypt is a modern library for one-way hashing of passwords.
+	  It supports a wide variety of both modern and historical hashing
+	  methods: yescrypt, gost-yescrypt, scrypt, bcrypt, sha512crypt,
+	  sha256crypt, md5crypt, SunMD5, sha1crypt, NT, bsdicrypt, bigcrypt,
+	  and descrypt.  It provides the traditional Unix crypt and crypt_r
+	  interfaces, as well as a set of extended interfaces pioneered by
+	  Openwall Linux, crypt_rn, crypt_ra, crypt_gensalt,
+	  crypt_gensalt_rn, and crypt_gensalt_ra.
+
+	  libxcrypt is intended to be used by login(1), passwd(1), and other
+	  similar programs; that is, to hash a small number of passwords
+	  during an interactive authentication dialogue with a human.  It is
+	  not suitable for use in bulk password-cracking applications, or in
+	  any other situation where speed is more important than careful
+	  handling of sensitive data.  However, it is intended to be fast and
+	  lightweight enough for use in servers that must field thousands of
+	  login attempts per minute.
+
+if LIBXCRYPT
+
+config LIBXCRYPT_GLIBC_BINARY_COMPAT
+	bool
+	prompt "Enable full glibc binary compatibility"
+	help
+	  When enabled, this option includes the interfaces for full binary
+	  compatibility with glibc.
+
+	  This setting only affects existing binaries; new programs cannot
+	  be linked against them.
+
+if LIBXCRYPT_GLIBC_BINARY_COMPAT
+
+config LIBXCRYPT_OBSOLETE_STUBS
+	bool
+	prompt "Replace obsolete functions with non-functional stubs"
+	help
+	  If enabled, this option replaces the obsolete APIs (fcrypt,
+	  encrypt{,_r}, and setkey{,_r}) with stubs that set errno to
+	  ENOSYS and return without performing any real operations.
+
+	  For security reasons, the encrypt{,r} functions will also
+	  overwrite their data-block argument with random bits.
+
+	  The fcrypt function will also always return NULL-pointer.
+
+endif
+
+config LIBXCRYPT_BCRYPT_X
+	bool
+	prompt "Support for verifying weak bcrypt ($2x$) hashes"
+	help
+	  The alternative prefix "$2x$" provides bug-compatibility with
+	  crypt_blowfish 1.0.4 and earlier, which incorrectly processed
+	  characters with the 8th bit set.
+
+config LIBXCRYPT_SHA1CRYPT
+	bool
+	prompt "sha1crypt ($sha1) hashing method"
+	help
+	  A hash based on HMAC-SHA1.  Originally developed for NetBSD.
+
+	  Enable this for compatibility with passphrases that have been
+	  hashed on NetBSD.
+
+config LIBXCRYPT_SUNMD5
+	bool
+	prompt "SunMD5 ($md5) hashing method"
+	help
+	  A hash based on the MD5 algorithm, with additional cleverness
+	  to make precomputation difficult.
+
+	  Enable this for full compatibility with passphrases that have
+	  been hashed on Solaris.
+
+config LIBXCRYPT_NTHASH
+	bool
+	prompt "NTHASH ($3$) hashing method"
+	help
+	  The hashing method used for network authentication in some
+	  versions of the SMB/CIFS protocol.
+
+	  Available, for cross-compatibility's sake, on FreeBSD.
+
+config LIBXCRYPT_BSDICRYPT
+	bool
+	prompt "bsdicrypt ($2x$) hashing method"
+	help
+	  A weak extension of traditional DES, which eliminates the
+	  length limit, increases the salt size, and makes the time
+	  cost tunable.
+
+	  It originates with BSDI and is also available on at least
+	  NetBSD, OpenBSD, FreeBSD, and MacOSX.
+
+config LIBXCRYPT_BIGCRYPT
+	bool
+	prompt "bigcrypt hashing method"
+	help
+	  A weak extension of traditional DES, available on some
+	  System V-derived Unixes.  All it does is raise the length
+	  limit from 8 to 128 characters, and it does this in a crude
+	  way that allows attackers to guess chunks of a long passphrase
+	  in parallel.
+
+endif
diff --git a/rules/libxcrypt.make b/rules/libxcrypt.make
new file mode 100644
index 000000000..df5d25b1d
--- /dev/null
+++ b/rules/libxcrypt.make
@@ -0,0 +1,96 @@
+# -*-makefile-*-
+#
+# Copyright (C) 2019 by Bjoern Esser <bes@pengutronix.de>
+#
+# For further information about the PTXdist project and license conditions
+# see the README file.
+#
+
+#
+# We provide this package
+#
+PACKAGES-$(PTXCONF_LIBXCRYPT) += libxcrypt
+
+#
+# Paths and names
+#
+LIBXCRYPT_VERSION	:= 4.4.9
+LIBXCRYPT_MD5		:= 7c2d5206dfb6a72ed464eee812a58fcf
+LIBXCRYPT		:= libxcrypt-$(LIBXCRYPT_VERSION)
+LIBXCRYPT_SUFFIX	:= tar.gz
+LIBXCRYPT_URL		:= https://github.com/besser82/libxcrypt/archive/v$(LIBXCRYPT_VERSION).$(LIBXCRYPT_SUFFIX)
+LIBXCRYPT_SOURCE	:= $(SRCDIR)/$(LIBXCRYPT).$(LIBXCRYPT_SUFFIX)
+LIBXCRYPT_DIR		:= $(BUILDDIR)/$(LIBXCRYPT)
+LIBXCRYPT_LICENSE	:= LGPL-2.1-or-later AND BSD-3-Clause AND BSD-2-Clause AND 0BSD AND public_domain
+LIBXCRYPT_LICENSE_MD5	:= file://LICENSING;md5=3bb6614cf5880cbf1b9dbd9e3d145e2c
+
+# ----------------------------------------------------------------------------
+# Prepare
+# ----------------------------------------------------------------------------
+
+#
+# options
+#
+
+# Hash methods enabled by default.
+HASH_METHODS := glibc,strong
+
+ifdef PTXCONF_LIBXCRYPT_BCRYPT_X
+HASH_METHODS := $(HASH_METHODS),bcrypt_x
+endif
+
+ifdef PTXCONF_LIBXCRYPT_SHA1CRYPT
+HASH_METHODS := $(HASH_METHODS),sha1crypt
+endif
+
+ifdef PTXCONF_LIBXCRYPT_SUNMD5
+HASH_METHODS := $(HASH_METHODS),sunmd5
+endif
+
+ifdef PTXCONF_LIBXCRYPT_NTHASH
+HASH_METHODS := $(HASH_METHODS),nt
+endif
+
+ifdef PTXCONF_LIBXCRYPT_BSDICRYPT
+HASH_METHODS := $(HASH_METHODS),bdsicrypt
+endif
+
+ifdef PTXCONF_LIBXCRYPT_BIGCRYPT
+HASH_METHODS := $(HASH_METHODS),bigcrypt
+endif
+
+#
+# autoconf
+#
+LIBXCRYPT_CONF_TOOL	:= autoconf
+LIBXCRYPT_CONF_OPT	:= \
+	$(CROSS_AUTOCONF_USR) \
+	--disable-failure-tokens \
+	--disable-static \
+	--disable-valgrind \
+	--enable-obsolete-api=$(call ptx/ifdef,PTXCONF_LIBXCRYPT_GLIBC_BINARY_COMPAT,glibc,no) \
+	--enable-obsolete-api-enosys=$(call ptx/ifdef,PTXCONF_LIBXCRYPT_OBSOLETE_STUBS,yes,no) \
+	--enable-hashes=$(HASH_METHODS) \
+	--enable-xcrypt-compat-files
+
+# ----------------------------------------------------------------------------
+# Target-Install
+# ----------------------------------------------------------------------------
+
+$(STATEDIR)/libxcrypt.targetinstall:
+	@$(call targetinfo)
+
+	@$(call install_init, libxcrypt)
+	@$(call install_fixup, libxcrypt,PRIORITY,optional)
+	@$(call install_fixup, libxcrypt,SECTION,base)
+	@$(call install_fixup, libxcrypt,AUTHOR,"Bjoern Esser <bes@pengutronix.de>")
+	@$(call install_fixup, libxcrypt,DESCRIPTION,Extended crypt library for descrypt$(comma) \
+						     md5crypt$(comma) bcrypt$(comma) and others.)
+
+	@$(call install_lib, libxcrypt, 0, 0, 0644, libcrypt)
+
+	@$(call install_finish, libxcrypt)
+
+	@$(call touch)
+
+# vim: syntax=make
diff --git a/rules/uclibc.in b/rules/uclibc.in
index 1fa99eba5..3e4b3d5b3 100644
--- a/rules/uclibc.in
+++ b/rules/uclibc.in
@@ -24,12 +24,16 @@ config UCLIBC_C
 
 	  Better not turn this option off..
 
+if NATIVE_CRYPT
+
 config UCLIBC_CRYPT
 	bool
 	prompt "Install libcrypt"
 	help
 	  The encryption/decryption library
 
+endif
+
 config UCLIBC_DL
 	bool
 	prompt "Install libdl"
-- 
2.23.0


_______________________________________________
ptxdist mailing list
ptxdist@pengutronix.de

Re: [ptxdist] [PATCH v3] libxcrypt: new package

[Ahmad Fatoum]

Hello Björn,

On 9/18/19 11:57 AM, Björn Esser wrote:
> From: Björn Esser <bes@pengutronix.de>
> 
> Also implement the needed logic to (optionally) replace
> the libcrypt from the selected libc with libxcrypt.
> 
> libxcrypt is a modern library for one-way hashing of passwords.
> It supports a wide variety of both modern and historical hashing
> methods: yescrypt, gost-yescrypt, scrypt, bcrypt, sha512crypt,
> sha256crypt, md5crypt, SunMD5, sha1crypt, NT, bsdicrypt, bigcrypt,
> and descrypt. It provides the traditional Unix crypt and crypt_r
> interfaces, as well as a set of extended interfaces pioneered by
> Openwall Linux, crypt_rn, crypt_ra, crypt_gensalt, crypt_gensalt_rn,
> and crypt_gensalt_ra.
> 
> libxcrypt is intended to be used by login(1), passwd(1), and other
> similar programs; that is, to hash a small number of passwords
> during an interactive authentication dialogue with a human.  It is
> not suitable for use in bulk password-cracking applications, or in
> any other situation where speed is more important than careful
> handling of sensitive data.  However, it is intended to be fast and
> lightweight enough for use in servers that must field thousands of
> login attempts per minute.
> 
> Signed-off-by: Björn Esser <bes@pengutronix.de>
> ---

It's customary to add a simple change log that highlights revision
differences here after the ---, something like:

v2 -> v3:
 - Foo'd the bar ($reviewer1_who_suggested_it)
v1 -> v2:
 - Bar'd the foo ($reviewer2)

For larger patch series, these can be placed in the cover letter.

Cheers
Ahmad

>  rules/glibc.in       |   4 ++
>  rules/libc.in        |   7 ++-
>  rules/libcrypt.in    |  38 +++++++++++++++
>  rules/libcrypt.make  |  16 ++++++
>  rules/libxcrypt.in   | 114 +++++++++++++++++++++++++++++++++++++++++++
>  rules/libxcrypt.make |  96 ++++++++++++++++++++++++++++++++++++
>  rules/uclibc.in      |   4 ++
>  7 files changed, 275 insertions(+), 4 deletions(-)
>  create mode 100644 rules/libcrypt.in
>  create mode 100644 rules/libcrypt.make
>  create mode 100644 rules/libxcrypt.in
>  create mode 100644 rules/libxcrypt.make
> 
> diff --git a/rules/glibc.in b/rules/glibc.in
> index 16e5e84d1..0883e0543 100644
> --- a/rules/glibc.in
> +++ b/rules/glibc.in
> @@ -79,12 +79,16 @@ config GLIBC_DL
>  	  functionality you should probably use libtool instead. It is much more cross
>  	  platform compatible than dlopen, etc. It also supports BeOS. See related links.
>  
> +if NATIVE_CRYPT
> +
>  config GLIBC_CRYPT
>  	bool
>  	prompt "Install libcrypt"
>  	help
>  	  The encryption/decryption library
>  
> +endif
> +
>  config GLIBC_UTIL
>  	bool
>  	prompt "Install libutil"
> diff --git a/rules/libc.in b/rules/libc.in
> index b4aa3b9f2..60ceecbe6 100644
> --- a/rules/libc.in
> +++ b/rules/libc.in
> @@ -56,10 +56,9 @@ config LIBC_DL
>  	select GLIBC_DL			if LIBC_GLIBC
>  	select UCLIBC_DL		if LIBC_UCLIBC
>  
> -config LIBC_CRYPT
> -	bool
> -	select GLIBC_CRYPT		if LIBC_GLIBC
> -	select UCLIBC_CRYPT		if LIBC_UCLIBC
> +#
> +# LIBC_CRYPT is handled by rules/libcrypt.in.
> +#
>  
>  config LIBC_UTIL
>  	bool
> diff --git a/rules/libcrypt.in b/rules/libcrypt.in
> new file mode 100644
> index 000000000..be9642da0
> --- /dev/null
> +++ b/rules/libcrypt.in
> @@ -0,0 +1,38 @@
> +## SECTION=core
> +
> +menuconfig LIBC_CRYPT
> +	bool
> +	prompt "POSIX crypt implementation    "
> +	select LIBXCRYPT	if !NATIVE_CRYPT
> +	select INTERNAL_CRYPT	if NATIVE_CRYPT
> +
> +if LIBC_CRYPT
> +
> +choice
> +	prompt "POSIX crypt implementation    "
> +	default NATIVE_CRYPT
> +
> +	config NATIVE_CRYPT
> +		bool
> +		prompt "libc internal"
> +		help
> +		  This menu entry selects the basic libcrypt provided
> +		  by the selected libc implementation of the system.
> +
> +	config EXTENDED_CRYPT
> +		bool
> +		prompt "libxcrypt    "
> +		help
> +		  This menu entry selects the extended libcrypt
> +		  implementation provided by the libxcrypt package.
> +
> +		  Please see "System Libraries" for the configuration
> +		  options of libxcrypt.
> +endchoice
> +
> +config INTERNAL_CRYPT
> +	bool
> +	select GLIBC_CRYPT	if LIBC_GLIBC
> +	select UCLIBC_CRYPT	if LIBC_UCLIBC
> +
> +endif
> diff --git a/rules/libcrypt.make b/rules/libcrypt.make
> new file mode 100644
> index 000000000..0cc526de4
> --- /dev/null
> +++ b/rules/libcrypt.make
> @@ -0,0 +1,16 @@
> +# -*-makefile-*-
> +#
> +# Copyright (C) 2019 by Bjoern Esser <bes@pengutronix.de>
> +#
> +# For further information about the PTXdist project and license conditions
> +# see the README file.
> +#
> +
> +#
> +# We provide this package
> +#
> +PACKAGES-$(PTXCONF_LIBCRYPT) += libcrypt
> +
> +LIBCRYPT_LICENSE:= ignore
> +
> +# vim: syntax=make
> diff --git a/rules/libxcrypt.in b/rules/libxcrypt.in
> new file mode 100644
> index 000000000..1db488941
> --- /dev/null
> +++ b/rules/libxcrypt.in
> @@ -0,0 +1,114 @@
> +## SECTION=system_libraries
> +
> +menuconfig LIBXCRYPT
> +	bool
> +	prompt "libxcrypt                     "
> +	depends on !NATIVE_CRYPT
> +	help
> +	  Extended crypt library for descrypt, md5crypt, bcrypt, and others.
> +
> +	  libxcrypt is a modern library for one-way hashing of passwords.
> +	  It supports a wide variety of both modern and historical hashing
> +	  methods: yescrypt, gost-yescrypt, scrypt, bcrypt, sha512crypt,
> +	  sha256crypt, md5crypt, SunMD5, sha1crypt, NT, bsdicrypt, bigcrypt,
> +	  and descrypt.  It provides the traditional Unix crypt and crypt_r
> +	  interfaces, as well as a set of extended interfaces pioneered by
> +	  Openwall Linux, crypt_rn, crypt_ra, crypt_gensalt,
> +	  crypt_gensalt_rn, and crypt_gensalt_ra.
> +
> +	  libxcrypt is intended to be used by login(1), passwd(1), and other
> +	  similar programs; that is, to hash a small number of passwords
> +	  during an interactive authentication dialogue with a human.  It is
> +	  not suitable for use in bulk password-cracking applications, or in
> +	  any other situation where speed is more important than careful
> +	  handling of sensitive data.  However, it is intended to be fast and
> +	  lightweight enough for use in servers that must field thousands of
> +	  login attempts per minute.
> +
> +if LIBXCRYPT
> +
> +config LIBXCRYPT_GLIBC_BINARY_COMPAT
> +	bool
> +	prompt "Enable full glibc binary compatibility"
> +	help
> +	  When enabled, this option includes the interfaces for full binary
> +	  compatibility with glibc.
> +
> +	  This setting only affects existing binaries; new programs cannot
> +	  be linked against them.
> +
> +if LIBXCRYPT_GLIBC_BINARY_COMPAT
> +
> +config LIBXCRYPT_OBSOLETE_STUBS
> +	bool
> +	prompt "Replace obsolete functions with non-functional stubs"
> +	help
> +	  If enabled, this option replaces the obsolete APIs (fcrypt,
> +	  encrypt{,_r}, and setkey{,_r}) with stubs that set errno to
> +	  ENOSYS and return without performing any real operations.
> +
> +	  For security reasons, the encrypt{,r} functions will also
> +	  overwrite their data-block argument with random bits.
> +
> +	  The fcrypt function will also always return NULL-pointer.
> +
> +endif
> +
> +config LIBXCRYPT_BCRYPT_X
> +	bool
> +	prompt "Support for verifying weak bcrypt ($2x$) hashes"
> +	help
> +	  The alternative prefix "$2x$" provides bug-compatibility with
> +	  crypt_blowfish 1.0.4 and earlier, which incorrectly processed
> +	  characters with the 8th bit set.
> +
> +config LIBXCRYPT_SHA1CRYPT
> +	bool
> +	prompt "sha1crypt ($sha1) hashing method"
> +	help
> +	  A hash based on HMAC-SHA1.  Originally developed for NetBSD.
> +
> +	  Enable this for compatibility with passphrases that have been
> +	  hashed on NetBSD.
> +
> +config LIBXCRYPT_SUNMD5
> +	bool
> +	prompt "SunMD5 ($md5) hashing method"
> +	help
> +	  A hash based on the MD5 algorithm, with additional cleverness
> +	  to make precomputation difficult.
> +
> +	  Enable this for full compatibility with passphrases that have
> +	  been hashed on Solaris.
> +
> +config LIBXCRYPT_NTHASH
> +	bool
> +	prompt "NTHASH ($3$) hashing method"
> +	help
> +	  The hashing method used for network authentication in some
> +	  versions of the SMB/CIFS protocol.
> +
> +	  Available, for cross-compatibility's sake, on FreeBSD.
> +
> +config LIBXCRYPT_BSDICRYPT
> +	bool
> +	prompt "bsdicrypt ($2x$) hashing method"
> +	help
> +	  A weak extension of traditional DES, which eliminates the
> +	  length limit, increases the salt size, and makes the time
> +	  cost tunable.
> +
> +	  It originates with BSDI and is also available on at least
> +	  NetBSD, OpenBSD, FreeBSD, and MacOSX.
> +
> +config LIBXCRYPT_BIGCRYPT
> +	bool
> +	prompt "bigcrypt hashing method"
> +	help
> +	  A weak extension of traditional DES, available on some
> +	  System V-derived Unixes.  All it does is raise the length
> +	  limit from 8 to 128 characters, and it does this in a crude
> +	  way that allows attackers to guess chunks of a long passphrase
> +	  in parallel.
> +
> +endif
> diff --git a/rules/libxcrypt.make b/rules/libxcrypt.make
> new file mode 100644
> index 000000000..df5d25b1d
> --- /dev/null
> +++ b/rules/libxcrypt.make
> @@ -0,0 +1,96 @@
> +# -*-makefile-*-
> +#
> +# Copyright (C) 2019 by Bjoern Esser <bes@pengutronix.de>
> +#
> +# For further information about the PTXdist project and license conditions
> +# see the README file.
> +#
> +
> +#
> +# We provide this package
> +#
> +PACKAGES-$(PTXCONF_LIBXCRYPT) += libxcrypt
> +
> +#
> +# Paths and names
> +#
> +LIBXCRYPT_VERSION	:= 4.4.9
> +LIBXCRYPT_MD5		:= 7c2d5206dfb6a72ed464eee812a58fcf
> +LIBXCRYPT		:= libxcrypt-$(LIBXCRYPT_VERSION)
> +LIBXCRYPT_SUFFIX	:= tar.gz
> +LIBXCRYPT_URL		:= https://github.com/besser82/libxcrypt/archive/v$(LIBXCRYPT_VERSION).$(LIBXCRYPT_SUFFIX)
> +LIBXCRYPT_SOURCE	:= $(SRCDIR)/$(LIBXCRYPT).$(LIBXCRYPT_SUFFIX)
> +LIBXCRYPT_DIR		:= $(BUILDDIR)/$(LIBXCRYPT)
> +LIBXCRYPT_LICENSE	:= LGPL-2.1-or-later AND BSD-3-Clause AND BSD-2-Clause AND 0BSD AND public_domain
> +LIBXCRYPT_LICENSE_MD5	:= file://LICENSING;md5=3bb6614cf5880cbf1b9dbd9e3d145e2c
> +
> +# ----------------------------------------------------------------------------
> +# Prepare
> +# ----------------------------------------------------------------------------
> +
> +#
> +# options
> +#
> +
> +# Hash methods enabled by default.
> +HASH_METHODS := glibc,strong
> +
> +ifdef PTXCONF_LIBXCRYPT_BCRYPT_X
> +HASH_METHODS := $(HASH_METHODS),bcrypt_x
> +endif
> +
> +ifdef PTXCONF_LIBXCRYPT_SHA1CRYPT
> +HASH_METHODS := $(HASH_METHODS),sha1crypt
> +endif
> +
> +ifdef PTXCONF_LIBXCRYPT_SUNMD5
> +HASH_METHODS := $(HASH_METHODS),sunmd5
> +endif
> +
> +ifdef PTXCONF_LIBXCRYPT_NTHASH
> +HASH_METHODS := $(HASH_METHODS),nt
> +endif
> +
> +ifdef PTXCONF_LIBXCRYPT_BSDICRYPT
> +HASH_METHODS := $(HASH_METHODS),bdsicrypt
> +endif
> +
> +ifdef PTXCONF_LIBXCRYPT_BIGCRYPT
> +HASH_METHODS := $(HASH_METHODS),bigcrypt
> +endif
> +
> +#
> +# autoconf
> +#
> +LIBXCRYPT_CONF_TOOL	:= autoconf
> +LIBXCRYPT_CONF_OPT	:= \
> +	$(CROSS_AUTOCONF_USR) \
> +	--disable-failure-tokens \
> +	--disable-static \
> +	--disable-valgrind \
> +	--enable-obsolete-api=$(call ptx/ifdef,PTXCONF_LIBXCRYPT_GLIBC_BINARY_COMPAT,glibc,no) \
> +	--enable-obsolete-api-enosys=$(call ptx/ifdef,PTXCONF_LIBXCRYPT_OBSOLETE_STUBS,yes,no) \
> +	--enable-hashes=$(HASH_METHODS) \
> +	--enable-xcrypt-compat-files
> +
> +# ----------------------------------------------------------------------------
> +# Target-Install
> +# ----------------------------------------------------------------------------
> +
> +$(STATEDIR)/libxcrypt.targetinstall:
> +	@$(call targetinfo)
> +
> +	@$(call install_init, libxcrypt)
> +	@$(call install_fixup, libxcrypt,PRIORITY,optional)
> +	@$(call install_fixup, libxcrypt,SECTION,base)
> +	@$(call install_fixup, libxcrypt,AUTHOR,"Bjoern Esser <bes@pengutronix.de>")
> +	@$(call install_fixup, libxcrypt,DESCRIPTION,Extended crypt library for descrypt$(comma) \
> +						     md5crypt$(comma) bcrypt$(comma) and others.)
> +
> +	@$(call install_lib, libxcrypt, 0, 0, 0644, libcrypt)
> +
> +	@$(call install_finish, libxcrypt)
> +
> +	@$(call touch)
> +
> +# vim: syntax=make
> diff --git a/rules/uclibc.in b/rules/uclibc.in
> index 1fa99eba5..3e4b3d5b3 100644
> --- a/rules/uclibc.in
> +++ b/rules/uclibc.in
> @@ -24,12 +24,16 @@ config UCLIBC_C
>  
>  	  Better not turn this option off..
>  
> +if NATIVE_CRYPT
> +
>  config UCLIBC_CRYPT
>  	bool
>  	prompt "Install libcrypt"
>  	help
>  	  The encryption/decryption library
>  
> +endif
> +
>  config UCLIBC_DL
>  	bool
>  	prompt "Install libdl"
> 

-- 
Pengutronix e.K.                           |                             |
Industrial Linux Solutions                 | http://www.pengutronix.de/  |
Peiner Str. 6-8, 31137 Hildesheim, Germany | Phone: +49-5121-206917-0    |
Amtsgericht Hildesheim, HRA 2686           | Fax:   +49-5121-206917-5555 |

_______________________________________________
ptxdist mailing list
ptxdist@pengutronix.de

Re: [ptxdist] [PATCH v3] libxcrypt: new package

[Björn Esser]

Hello Ahmad,

On Mi, 2019-09-18 at 12:06 +0200, Ahmad Fatoum wrote:
> Hello Björn,
> 
> On 9/18/19 11:57 AM, Björn Esser wrote:
> > From: Björn Esser <bes@pengutronix.de>
> > 
> > Also implement the needed logic to (optionally) replace
> > the libcrypt from the selected libc with libxcrypt.
> > 
> > libxcrypt is a modern library for one-way hashing of passwords.
> > It supports a wide variety of both modern and historical hashing
> > methods: yescrypt, gost-yescrypt, scrypt, bcrypt, sha512crypt,
> > sha256crypt, md5crypt, SunMD5, sha1crypt, NT, bsdicrypt, bigcrypt,
> > and descrypt. It provides the traditional Unix crypt and crypt_r
> > interfaces, as well as a set of extended interfaces pioneered by
> > Openwall Linux, crypt_rn, crypt_ra, crypt_gensalt,
> > crypt_gensalt_rn,
> > and crypt_gensalt_ra.
> > 
> > libxcrypt is intended to be used by login(1), passwd(1), and other
> > similar programs; that is, to hash a small number of passwords
> > during an interactive authentication dialogue with a human.  It is
> > not suitable for use in bulk password-cracking applications, or in
> > any other situation where speed is more important than careful
> > handling of sensitive data.  However, it is intended to be fast and
> > lightweight enough for use in servers that must field thousands of
> > login attempts per minute.
> > 
> > Signed-off-by: Björn Esser <bes@pengutronix.de>
> > ---
> 
> It's customary to add a simple change log that highlights revision
> differences here after the ---, something like:
> 
> v2 -> v3:
>  - Foo'd the bar ($reviewer1_who_suggested_it)
> v1 -> v2:
>  - Bar'd the foo ($reviewer2)
> 
> For larger patch series, these can be placed in the cover letter.
> 
> Cheers
> Ahmad

excuse me, I'm sorry.  Here is the CLog:

v2 -> v3:
  - Added 3 files that also needed minor adaptions and I forgot to add
    to the initial patch.

v1 -> v2:
  - Adapt the two remarks pointed out by Dennis Osterland

Cheers
Björn


> >  rules/glibc.in       |   4 ++
> >  rules/libc.in        |   7 ++-
> >  rules/libcrypt.in    |  38 +++++++++++++++
> >  rules/libcrypt.make  |  16 ++++++
> >  rules/libxcrypt.in   | 114
> > +++++++++++++++++++++++++++++++++++++++++++
> >  rules/libxcrypt.make |  96 ++++++++++++++++++++++++++++++++++++
> >  rules/uclibc.in      |   4 ++
> >  7 files changed, 275 insertions(+), 4 deletions(-)
> >  create mode 100644 rules/libcrypt.in
> >  create mode 100644 rules/libcrypt.make
> >  create mode 100644 rules/libxcrypt.in
> >  create mode 100644 rules/libxcrypt.make
> > 
> > diff --git a/rules/glibc.in b/rules/glibc.in
> > index 16e5e84d1..0883e0543 100644
> > --- a/rules/glibc.in
> > +++ b/rules/glibc.in
> > @@ -79,12 +79,16 @@ config GLIBC_DL
> >  	  functionality you should probably use libtool instead. It is
> > much more cross
> >  	  platform compatible than dlopen, etc. It also supports BeOS.
> > See related links.
> >  
> > +if NATIVE_CRYPT
> > +
> >  config GLIBC_CRYPT
> >  	bool
> >  	prompt "Install libcrypt"
> >  	help
> >  	  The encryption/decryption library
> >  
> > +endif
> > +
> >  config GLIBC_UTIL
> >  	bool
> >  	prompt "Install libutil"
> > diff --git a/rules/libc.in b/rules/libc.in
> > index b4aa3b9f2..60ceecbe6 100644
> > --- a/rules/libc.in
> > +++ b/rules/libc.in
> > @@ -56,10 +56,9 @@ config LIBC_DL
> >  	select GLIBC_DL			if LIBC_GLIBC
> >  	select UCLIBC_DL		if LIBC_UCLIBC
> >  
> > -config LIBC_CRYPT
> > -	bool
> > -	select GLIBC_CRYPT		if LIBC_GLIBC
> > -	select UCLIBC_CRYPT		if LIBC_UCLIBC
> > +#
> > +# LIBC_CRYPT is handled by rules/libcrypt.in.
> > +#
> >  
> >  config LIBC_UTIL
> >  	bool
> > diff --git a/rules/libcrypt.in b/rules/libcrypt.in
> > new file mode 100644
> > index 000000000..be9642da0
> > --- /dev/null
> > +++ b/rules/libcrypt.in
> > @@ -0,0 +1,38 @@
> > +## SECTION=core
> > +
> > +menuconfig LIBC_CRYPT
> > +	bool
> > +	prompt "POSIX crypt implementation    "
> > +	select LIBXCRYPT	if !NATIVE_CRYPT
> > +	select INTERNAL_CRYPT	if NATIVE_CRYPT
> > +
> > +if LIBC_CRYPT
> > +
> > +choice
> > +	prompt "POSIX crypt implementation    "
> > +	default NATIVE_CRYPT
> > +
> > +	config NATIVE_CRYPT
> > +		bool
> > +		prompt "libc internal"
> > +		help
> > +		  This menu entry selects the basic libcrypt provided
> > +		  by the selected libc implementation of the system.
> > +
> > +	config EXTENDED_CRYPT
> > +		bool
> > +		prompt "libxcrypt    "
> > +		help
> > +		  This menu entry selects the extended libcrypt
> > +		  implementation provided by the libxcrypt package.
> > +
> > +		  Please see "System Libraries" for the configuration
> > +		  options of libxcrypt.
> > +endchoice
> > +
> > +config INTERNAL_CRYPT
> > +	bool
> > +	select GLIBC_CRYPT	if LIBC_GLIBC
> > +	select UCLIBC_CRYPT	if LIBC_UCLIBC
> > +
> > +endif
> > diff --git a/rules/libcrypt.make b/rules/libcrypt.make
> > new file mode 100644
> > index 000000000..0cc526de4
> > --- /dev/null
> > +++ b/rules/libcrypt.make
> > @@ -0,0 +1,16 @@
> > +# -*-makefile-*-
> > +#
> > +# Copyright (C) 2019 by Bjoern Esser <bes@pengutronix.de>
> > +#
> > +# For further information about the PTXdist project and license
> > conditions
> > +# see the README file.
> > +#
> > +
> > +#
> > +# We provide this package
> > +#
> > +PACKAGES-$(PTXCONF_LIBCRYPT) += libcrypt
> > +
> > +LIBCRYPT_LICENSE:= ignore
> > +
> > +# vim: syntax=make
> > diff --git a/rules/libxcrypt.in b/rules/libxcrypt.in
> > new file mode 100644
> > index 000000000..1db488941
> > --- /dev/null
> > +++ b/rules/libxcrypt.in
> > @@ -0,0 +1,114 @@
> > +## SECTION=system_libraries
> > +
> > +menuconfig LIBXCRYPT
> > +	bool
> > +	prompt "libxcrypt                     "
> > +	depends on !NATIVE_CRYPT
> > +	help
> > +	  Extended crypt library for descrypt, md5crypt, bcrypt, and
> > others.
> > +
> > +	  libxcrypt is a modern library for one-way hashing of
> > passwords.
> > +	  It supports a wide variety of both modern and historical
> > hashing
> > +	  methods: yescrypt, gost-yescrypt, scrypt, bcrypt,
> > sha512crypt,
> > +	  sha256crypt, md5crypt, SunMD5, sha1crypt, NT, bsdicrypt,
> > bigcrypt,
> > +	  and descrypt.  It provides the traditional Unix crypt and
> > crypt_r
> > +	  interfaces, as well as a set of extended interfaces pioneered
> > by
> > +	  Openwall Linux, crypt_rn, crypt_ra, crypt_gensalt,
> > +	  crypt_gensalt_rn, and crypt_gensalt_ra.
> > +
> > +	  libxcrypt is intended to be used by login(1), passwd(1), and
> > other
> > +	  similar programs; that is, to hash a small number of
> > passwords
> > +	  during an interactive authentication dialogue with a
> > human.  It is
> > +	  not suitable for use in bulk password-cracking applications,
> > or in
> > +	  any other situation where speed is more important than
> > careful
> > +	  handling of sensitive data.  However, it is intended to be
> > fast and
> > +	  lightweight enough for use in servers that must field
> > thousands of
> > +	  login attempts per minute.
> > +
> > +if LIBXCRYPT
> > +
> > +config LIBXCRYPT_GLIBC_BINARY_COMPAT
> > +	bool
> > +	prompt "Enable full glibc binary compatibility"
> > +	help
> > +	  When enabled, this option includes the interfaces for full
> > binary
> > +	  compatibility with glibc.
> > +
> > +	  This setting only affects existing binaries; new programs
> > cannot
> > +	  be linked against them.
> > +
> > +if LIBXCRYPT_GLIBC_BINARY_COMPAT
> > +
> > +config LIBXCRYPT_OBSOLETE_STUBS
> > +	bool
> > +	prompt "Replace obsolete functions with non-functional stubs"
> > +	help
> > +	  If enabled, this option replaces the obsolete APIs (fcrypt,
> > +	  encrypt{,_r}, and setkey{,_r}) with stubs that set errno to
> > +	  ENOSYS and return without performing any real operations.
> > +
> > +	  For security reasons, the encrypt{,r} functions will also
> > +	  overwrite their data-block argument with random bits.
> > +
> > +	  The fcrypt function will also always return NULL-pointer.
> > +
> > +endif
> > +
> > +config LIBXCRYPT_BCRYPT_X
> > +	bool
> > +	prompt "Support for verifying weak bcrypt ($2x$) hashes"
> > +	help
> > +	  The alternative prefix "$2x$" provides bug-compatibility with
> > +	  crypt_blowfish 1.0.4 and earlier, which incorrectly processed
> > +	  characters with the 8th bit set.
> > +
> > +config LIBXCRYPT_SHA1CRYPT
> > +	bool
> > +	prompt "sha1crypt ($sha1) hashing method"
> > +	help
> > +	  A hash based on HMAC-SHA1.  Originally developed for NetBSD.
> > +
> > +	  Enable this for compatibility with passphrases that have been
> > +	  hashed on NetBSD.
> > +
> > +config LIBXCRYPT_SUNMD5
> > +	bool
> > +	prompt "SunMD5 ($md5) hashing method"
> > +	help
> > +	  A hash based on the MD5 algorithm, with additional cleverness
> > +	  to make precomputation difficult.
> > +
> > +	  Enable this for full compatibility with passphrases that have
> > +	  been hashed on Solaris.
> > +
> > +config LIBXCRYPT_NTHASH
> > +	bool
> > +	prompt "NTHASH ($3$) hashing method"
> > +	help
> > +	  The hashing method used for network authentication in some
> > +	  versions of the SMB/CIFS protocol.
> > +
> > +	  Available, for cross-compatibility's sake, on FreeBSD.
> > +
> > +config LIBXCRYPT_BSDICRYPT
> > +	bool
> > +	prompt "bsdicrypt ($2x$) hashing method"
> > +	help
> > +	  A weak extension of traditional DES, which eliminates the
> > +	  length limit, increases the salt size, and makes the time
> > +	  cost tunable.
> > +
> > +	  It originates with BSDI and is also available on at least
> > +	  NetBSD, OpenBSD, FreeBSD, and MacOSX.
> > +
> > +config LIBXCRYPT_BIGCRYPT
> > +	bool
> > +	prompt "bigcrypt hashing method"
> > +	help
> > +	  A weak extension of traditional DES, available on some
> > +	  System V-derived Unixes.  All it does is raise the length
> > +	  limit from 8 to 128 characters, and it does this in a crude
> > +	  way that allows attackers to guess chunks of a long
> > passphrase
> > +	  in parallel.
> > +
> > +endif
> > diff --git a/rules/libxcrypt.make b/rules/libxcrypt.make
> > new file mode 100644
> > index 000000000..df5d25b1d
> > --- /dev/null
> > +++ b/rules/libxcrypt.make
> > @@ -0,0 +1,96 @@
> > +# -*-makefile-*-
> > +#
> > +# Copyright (C) 2019 by Bjoern Esser <bes@pengutronix.de>
> > +#
> > +# For further information about the PTXdist project and license
> > conditions
> > +# see the README file.
> > +#
> > +
> > +#
> > +# We provide this package
> > +#
> > +PACKAGES-$(PTXCONF_LIBXCRYPT) += libxcrypt
> > +
> > +#
> > +# Paths and names
> > +#
> > +LIBXCRYPT_VERSION	:= 4.4.9
> > +LIBXCRYPT_MD5		:= 7c2d5206dfb6a72ed464eee812a58fcf
> > +LIBXCRYPT		:= libxcrypt-$(LIBXCRYPT_VERSION)
> > +LIBXCRYPT_SUFFIX	:= tar.gz
> > +LIBXCRYPT_URL		:= 
> > https://github.com/besser82/libxcrypt/archive/v$(LIBXCRYPT_VERSION).$(LIBXCRYPT_SUFFIX
> > )
> > +LIBXCRYPT_SOURCE	:= $(SRCDIR)/$(LIBXCRYPT).$(LIBXCRYPT_SUFFIX)
> > +LIBXCRYPT_DIR		:= $(BUILDDIR)/$(LIBXCRYPT)
> > +LIBXCRYPT_LICENSE	:= LGPL-2.1-or-later AND BSD-3-Clause AND BSD-
> > 2-Clause AND 0BSD AND public_domain
> > +LIBXCRYPT_LICENSE_MD5	:=
> > file://LICENSING;md5=3bb6614cf5880cbf1b9dbd9e3d145e2c
> > +
> > +# ----------------------------------------------------------------
> > ------------
> > +# Prepare
> > +# ----------------------------------------------------------------
> > ------------
> > +
> > +#
> > +# options
> > +#
> > +
> > +# Hash methods enabled by default.
> > +HASH_METHODS := glibc,strong
> > +
> > +ifdef PTXCONF_LIBXCRYPT_BCRYPT_X
> > +HASH_METHODS := $(HASH_METHODS),bcrypt_x
> > +endif
> > +
> > +ifdef PTXCONF_LIBXCRYPT_SHA1CRYPT
> > +HASH_METHODS := $(HASH_METHODS),sha1crypt
> > +endif
> > +
> > +ifdef PTXCONF_LIBXCRYPT_SUNMD5
> > +HASH_METHODS := $(HASH_METHODS),sunmd5
> > +endif
> > +
> > +ifdef PTXCONF_LIBXCRYPT_NTHASH
> > +HASH_METHODS := $(HASH_METHODS),nt
> > +endif
> > +
> > +ifdef PTXCONF_LIBXCRYPT_BSDICRYPT
> > +HASH_METHODS := $(HASH_METHODS),bdsicrypt
> > +endif
> > +
> > +ifdef PTXCONF_LIBXCRYPT_BIGCRYPT
> > +HASH_METHODS := $(HASH_METHODS),bigcrypt
> > +endif
> > +
> > +#
> > +# autoconf
> > +#
> > +LIBXCRYPT_CONF_TOOL	:= autoconf
> > +LIBXCRYPT_CONF_OPT	:= \
> > +	$(CROSS_AUTOCONF_USR) \
> > +	--disable-failure-tokens \
> > +	--disable-static \
> > +	--disable-valgrind \
> > +	--enable-obsolete-api=$(call
> > ptx/ifdef,PTXCONF_LIBXCRYPT_GLIBC_BINARY_COMPAT,glibc,no) \
> > +	--enable-obsolete-api-enosys=$(call
> > ptx/ifdef,PTXCONF_LIBXCRYPT_OBSOLETE_STUBS,yes,no) \
> > +	--enable-hashes=$(HASH_METHODS) \
> > +	--enable-xcrypt-compat-files
> > +
> > +# ----------------------------------------------------------------
> > ------------
> > +# Target-Install
> > +# ----------------------------------------------------------------
> > ------------
> > +
> > +$(STATEDIR)/libxcrypt.targetinstall:
> > +	@$(call targetinfo)
> > +
> > +	@$(call install_init, libxcrypt)
> > +	@$(call install_fixup, libxcrypt,PRIORITY,optional)
> > +	@$(call install_fixup, libxcrypt,SECTION,base)
> > +	@$(call install_fixup, libxcrypt,AUTHOR,"Bjoern Esser <
> > bes@pengutronix.de>")
> > +	@$(call install_fixup, libxcrypt,DESCRIPTION,Extended crypt
> > library for descrypt$(comma) \
> > +						     md5crypt$(comma)
> > bcrypt$(comma) and others.)
> > +
> > +	@$(call install_lib, libxcrypt, 0, 0, 0644, libcrypt)
> > +
> > +	@$(call install_finish, libxcrypt)
> > +
> > +	@$(call touch)
> > +
> > +# vim: syntax=make
> > diff --git a/rules/uclibc.in b/rules/uclibc.in
> > index 1fa99eba5..3e4b3d5b3 100644
> > --- a/rules/uclibc.in
> > +++ b/rules/uclibc.in
> > @@ -24,12 +24,16 @@ config UCLIBC_C
> >  
> >  	  Better not turn this option off..
> >  
> > +if NATIVE_CRYPT
> > +
> >  config UCLIBC_CRYPT
> >  	bool
> >  	prompt "Install libcrypt"
> >  	help
> >  	  The encryption/decryption library
> >  
> > +endif
> > +
> >  config UCLIBC_DL
> >  	bool
> >  	prompt "Install libdl"
> > 



_______________________________________________
ptxdist mailing list
ptxdist@pengutronix.de

[ptxdist] [PATCH v4] libxcrypt: new package

[Björn Esser]

From: Björn Esser <bes@pengutronix.de>

Also implement the needed logic to (optionally) replace
the libcrypt from the selected libc with libxcrypt.

libxcrypt is a modern library for one-way hashing of passwords.
It supports a wide variety of both modern and historical hashing
methods: yescrypt, gost-yescrypt, scrypt, bcrypt, sha512crypt,
sha256crypt, md5crypt, SunMD5, sha1crypt, NT, bsdicrypt, bigcrypt,
and descrypt. It provides the traditional Unix crypt and crypt_r
interfaces, as well as a set of extended interfaces pioneered by
Openwall Linux, crypt_rn, crypt_ra, crypt_gensalt, crypt_gensalt_rn,
and crypt_gensalt_ra.

libxcrypt is intended to be used by login(1), passwd(1), and other
similar programs; that is, to hash a small number of passwords
during an interactive authentication dialogue with a human.  It is
not suitable for use in bulk password-cracking applications, or in
any other situation where speed is more important than careful
handling of sensitive data.  However, it is intended to be fast and
lightweight enough for use in servers that must field thousands of
login attempts per minute.

Signed-off-by: Björn Esser <bes@pengutronix.de>
---
 rules/glibc.in       |   4 ++
 rules/libc.in        |   7 ++-
 rules/libcrypt.in    |  38 +++++++++++++++
 rules/libcrypt.make  |  16 ++++++
 rules/libxcrypt.in   | 114 +++++++++++++++++++++++++++++++++++++++++++
 rules/libxcrypt.make |  96 ++++++++++++++++++++++++++++++++++++
 rules/uclibc.in      |   4 ++
 7 files changed, 275 insertions(+), 4 deletions(-)
 create mode 100644 rules/libcrypt.in
 create mode 100644 rules/libcrypt.make
 create mode 100644 rules/libxcrypt.in
 create mode 100644 rules/libxcrypt.make

diff --git a/rules/glibc.in b/rules/glibc.in
index 16e5e84d1..0883e0543 100644
--- a/rules/glibc.in
+++ b/rules/glibc.in
@@ -79,12 +79,16 @@ config GLIBC_DL
 	  functionality you should probably use libtool instead. It is much more cross
 	  platform compatible than dlopen, etc. It also supports BeOS. See related links.
 
+if NATIVE_CRYPT
+
 config GLIBC_CRYPT
 	bool
 	prompt "Install libcrypt"
 	help
 	  The encryption/decryption library
 
+endif
+
 config GLIBC_UTIL
 	bool
 	prompt "Install libutil"
diff --git a/rules/libc.in b/rules/libc.in
index b4aa3b9f2..60ceecbe6 100644
--- a/rules/libc.in
+++ b/rules/libc.in
@@ -56,10 +56,9 @@ config LIBC_DL
 	select GLIBC_DL			if LIBC_GLIBC
 	select UCLIBC_DL		if LIBC_UCLIBC
 
-config LIBC_CRYPT
-	bool
-	select GLIBC_CRYPT		if LIBC_GLIBC
-	select UCLIBC_CRYPT		if LIBC_UCLIBC
+#
+# LIBC_CRYPT is handled by rules/libcrypt.in.
+#
 
 config LIBC_UTIL
 	bool
diff --git a/rules/libcrypt.in b/rules/libcrypt.in
new file mode 100644
index 000000000..be9642da0
--- /dev/null
+++ b/rules/libcrypt.in
@@ -0,0 +1,38 @@
+## SECTION=core
+
+menuconfig LIBC_CRYPT
+	bool
+	prompt "POSIX crypt implementation    "
+	select LIBXCRYPT	if !NATIVE_CRYPT
+	select INTERNAL_CRYPT	if NATIVE_CRYPT
+
+if LIBC_CRYPT
+
+choice
+	prompt "POSIX crypt implementation    "
+	default NATIVE_CRYPT
+
+	config NATIVE_CRYPT
+		bool
+		prompt "libc internal"
+		help
+		  This menu entry selects the basic libcrypt provided
+		  by the selected libc implementation of the system.
+
+	config EXTENDED_CRYPT
+		bool
+		prompt "libxcrypt    "
+		help
+		  This menu entry selects the extended libcrypt
+		  implementation provided by the libxcrypt package.
+
+		  Please see "System Libraries" for the configuration
+		  options of libxcrypt.
+endchoice
+
+config INTERNAL_CRYPT
+	bool
+	select GLIBC_CRYPT	if LIBC_GLIBC
+	select UCLIBC_CRYPT	if LIBC_UCLIBC
+
+endif
diff --git a/rules/libcrypt.make b/rules/libcrypt.make
new file mode 100644
index 000000000..0cc526de4
--- /dev/null
+++ b/rules/libcrypt.make
@@ -0,0 +1,16 @@
+# -*-makefile-*-
+#
+# Copyright (C) 2019 by Bjoern Esser <bes@pengutronix.de>
+#
+# For further information about the PTXdist project and license conditions
+# see the README file.
+#
+
+#
+# We provide this package
+#
+PACKAGES-$(PTXCONF_LIBCRYPT) += libcrypt
+
+LIBCRYPT_LICENSE:= ignore
+
+# vim: syntax=make
diff --git a/rules/libxcrypt.in b/rules/libxcrypt.in
new file mode 100644
index 000000000..1db488941
--- /dev/null
+++ b/rules/libxcrypt.in
@@ -0,0 +1,114 @@
+## SECTION=system_libraries
+
+menuconfig LIBXCRYPT
+	bool
+	prompt "libxcrypt                     "
+	depends on !NATIVE_CRYPT
+	help
+	  Extended crypt library for descrypt, md5crypt, bcrypt, and others.
+
+	  libxcrypt is a modern library for one-way hashing of passwords.
+	  It supports a wide variety of both modern and historical hashing
+	  methods: yescrypt, gost-yescrypt, scrypt, bcrypt, sha512crypt,
+	  sha256crypt, md5crypt, SunMD5, sha1crypt, NT, bsdicrypt, bigcrypt,
+	  and descrypt.  It provides the traditional Unix crypt and crypt_r
+	  interfaces, as well as a set of extended interfaces pioneered by
+	  Openwall Linux, crypt_rn, crypt_ra, crypt_gensalt,
+	  crypt_gensalt_rn, and crypt_gensalt_ra.
+
+	  libxcrypt is intended to be used by login(1), passwd(1), and other
+	  similar programs; that is, to hash a small number of passwords
+	  during an interactive authentication dialogue with a human.  It is
+	  not suitable for use in bulk password-cracking applications, or in
+	  any other situation where speed is more important than careful
+	  handling of sensitive data.  However, it is intended to be fast and
+	  lightweight enough for use in servers that must field thousands of
+	  login attempts per minute.
+
+if LIBXCRYPT
+
+config LIBXCRYPT_GLIBC_BINARY_COMPAT
+	bool
+	prompt "Enable full glibc binary compatibility"
+	help
+	  When enabled, this option includes the interfaces for full binary
+	  compatibility with glibc.
+
+	  This setting only affects existing binaries; new programs cannot
+	  be linked against them.
+
+if LIBXCRYPT_GLIBC_BINARY_COMPAT
+
+config LIBXCRYPT_OBSOLETE_STUBS
+	bool
+	prompt "Replace obsolete functions with non-functional stubs"
+	help
+	  If enabled, this option replaces the obsolete APIs (fcrypt,
+	  encrypt{,_r}, and setkey{,_r}) with stubs that set errno to
+	  ENOSYS and return without performing any real operations.
+
+	  For security reasons, the encrypt{,r} functions will also
+	  overwrite their data-block argument with random bits.
+
+	  The fcrypt function will also always return NULL-pointer.
+
+endif
+
+config LIBXCRYPT_BCRYPT_X
+	bool
+	prompt "Support for verifying weak bcrypt ($2x$) hashes"
+	help
+	  The alternative prefix "$2x$" provides bug-compatibility with
+	  crypt_blowfish 1.0.4 and earlier, which incorrectly processed
+	  characters with the 8th bit set.
+
+config LIBXCRYPT_SHA1CRYPT
+	bool
+	prompt "sha1crypt ($sha1) hashing method"
+	help
+	  A hash based on HMAC-SHA1.  Originally developed for NetBSD.
+
+	  Enable this for compatibility with passphrases that have been
+	  hashed on NetBSD.
+
+config LIBXCRYPT_SUNMD5
+	bool
+	prompt "SunMD5 ($md5) hashing method"
+	help
+	  A hash based on the MD5 algorithm, with additional cleverness
+	  to make precomputation difficult.
+
+	  Enable this for full compatibility with passphrases that have
+	  been hashed on Solaris.
+
+config LIBXCRYPT_NTHASH
+	bool
+	prompt "NTHASH ($3$) hashing method"
+	help
+	  The hashing method used for network authentication in some
+	  versions of the SMB/CIFS protocol.
+
+	  Available, for cross-compatibility's sake, on FreeBSD.
+
+config LIBXCRYPT_BSDICRYPT
+	bool
+	prompt "bsdicrypt ($2x$) hashing method"
+	help
+	  A weak extension of traditional DES, which eliminates the
+	  length limit, increases the salt size, and makes the time
+	  cost tunable.
+
+	  It originates with BSDI and is also available on at least
+	  NetBSD, OpenBSD, FreeBSD, and MacOSX.
+
+config LIBXCRYPT_BIGCRYPT
+	bool
+	prompt "bigcrypt hashing method"
+	help
+	  A weak extension of traditional DES, available on some
+	  System V-derived Unixes.  All it does is raise the length
+	  limit from 8 to 128 characters, and it does this in a crude
+	  way that allows attackers to guess chunks of a long passphrase
+	  in parallel.
+
+endif
diff --git a/rules/libxcrypt.make b/rules/libxcrypt.make
new file mode 100644
index 000000000..5f9008564
--- /dev/null
+++ b/rules/libxcrypt.make
@@ -0,0 +1,96 @@
+# -*-makefile-*-
+#
+# Copyright (C) 2019 by Bjoern Esser <bes@pengutronix.de>
+#
+# For further information about the PTXdist project and license conditions
+# see the README file.
+#
+
+#
+# We provide this package
+#
+PACKAGES-$(PTXCONF_LIBXCRYPT) += libxcrypt
+
+#
+# Paths and names
+#
+LIBXCRYPT_VERSION	:= 4.4.10
+LIBXCRYPT_MD5		:= 3eb083c2528cdd37314080891d77e779
+LIBXCRYPT		:= libxcrypt-$(LIBXCRYPT_VERSION)
+LIBXCRYPT_SUFFIX	:= tar.gz
+LIBXCRYPT_URL		:= https://github.com/besser82/libxcrypt/archive/v$(LIBXCRYPT_VERSION).$(LIBXCRYPT_SUFFIX)
+LIBXCRYPT_SOURCE	:= $(SRCDIR)/$(LIBXCRYPT).$(LIBXCRYPT_SUFFIX)
+LIBXCRYPT_DIR		:= $(BUILDDIR)/$(LIBXCRYPT)
+LIBXCRYPT_LICENSE	:= LGPL-2.1-or-later AND BSD-3-Clause AND BSD-2-Clause AND 0BSD AND public_domain
+LIBXCRYPT_LICENSE_MD5	:= file://LICENSING;md5=3bb6614cf5880cbf1b9dbd9e3d145e2c
+
+# ----------------------------------------------------------------------------
+# Prepare
+# ----------------------------------------------------------------------------
+
+#
+# options
+#
+
+# Hash methods enabled by default.
+HASH_METHODS := glibc,strong
+
+ifdef PTXCONF_LIBXCRYPT_BCRYPT_X
+HASH_METHODS := $(HASH_METHODS),bcrypt_x
+endif
+
+ifdef PTXCONF_LIBXCRYPT_SHA1CRYPT
+HASH_METHODS := $(HASH_METHODS),sha1crypt
+endif
+
+ifdef PTXCONF_LIBXCRYPT_SUNMD5
+HASH_METHODS := $(HASH_METHODS),sunmd5
+endif
+
+ifdef PTXCONF_LIBXCRYPT_NTHASH
+HASH_METHODS := $(HASH_METHODS),nt
+endif
+
+ifdef PTXCONF_LIBXCRYPT_BSDICRYPT
+HASH_METHODS := $(HASH_METHODS),bdsicrypt
+endif
+
+ifdef PTXCONF_LIBXCRYPT_BIGCRYPT
+HASH_METHODS := $(HASH_METHODS),bigcrypt
+endif
+
+#
+# autoconf
+#
+LIBXCRYPT_CONF_TOOL	:= autoconf
+LIBXCRYPT_CONF_OPT	:= \
+	$(CROSS_AUTOCONF_USR) \
+	--disable-failure-tokens \
+	--disable-static \
+	--disable-valgrind \
+	--enable-obsolete-api=$(call ptx/ifdef,PTXCONF_LIBXCRYPT_GLIBC_BINARY_COMPAT,glibc,no) \
+	--enable-obsolete-api-enosys=$(call ptx/ifdef,PTXCONF_LIBXCRYPT_OBSOLETE_STUBS,yes,no) \
+	--enable-hashes=$(HASH_METHODS) \
+	--enable-xcrypt-compat-files
+
+# ----------------------------------------------------------------------------
+# Target-Install
+# ----------------------------------------------------------------------------
+
+$(STATEDIR)/libxcrypt.targetinstall:
+	@$(call targetinfo)
+
+	@$(call install_init, libxcrypt)
+	@$(call install_fixup, libxcrypt,PRIORITY,optional)
+	@$(call install_fixup, libxcrypt,SECTION,base)
+	@$(call install_fixup, libxcrypt,AUTHOR,"Bjoern Esser <bes@pengutronix.de>")
+	@$(call install_fixup, libxcrypt,DESCRIPTION,Extended crypt library for descrypt$(comma) \
+						     md5crypt$(comma) bcrypt$(comma) and others.)
+
+	@$(call install_lib, libxcrypt, 0, 0, 0644, libcrypt)
+
+	@$(call install_finish, libxcrypt)
+
+	@$(call touch)
+
+# vim: syntax=make
diff --git a/rules/uclibc.in b/rules/uclibc.in
index 1fa99eba5..3e4b3d5b3 100644
--- a/rules/uclibc.in
+++ b/rules/uclibc.in
@@ -24,12 +24,16 @@ config UCLIBC_C
 
 	  Better not turn this option off..
 
+if NATIVE_CRYPT
+
 config UCLIBC_CRYPT
 	bool
 	prompt "Install libcrypt"
 	help
 	  The encryption/decryption library
 
+endif
+
 config UCLIBC_DL
 	bool
 	prompt "Install libdl"
-- 
2.23.0

v3 -> v4:
  - Update libxcrypt 4.4.9 -> 4.4.10

v2 -> v3:
  - Added 3 files that also needed minor adaptions and I forgot to add
    to the initial patch.

v1 -> v2:
  - Adapt the two remarks pointed out by Dennis Osterland

_______________________________________________
ptxdist mailing list
ptxdist@pengutronix.de

Re: [ptxdist] [PATCH v4] libxcrypt: new package

[Lucas Stach]

Hi Björn,

Am Montag, den 23.09.2019, 12:07 +0200 schrieb Björn Esser:
> From: Björn Esser <bes@pengutronix.de>
> 
> Also implement the needed logic to (optionally) replace
> the libcrypt from the selected libc with libxcrypt.
> 
> libxcrypt is a modern library for one-way hashing of passwords.
> It supports a wide variety of both modern and historical hashing
> methods: yescrypt, gost-yescrypt, scrypt, bcrypt, sha512crypt,
> sha256crypt, md5crypt, SunMD5, sha1crypt, NT, bsdicrypt, bigcrypt,
> and descrypt. It provides the traditional Unix crypt and crypt_r
> interfaces, as well as a set of extended interfaces pioneered by
> Openwall Linux, crypt_rn, crypt_ra, crypt_gensalt, crypt_gensalt_rn,
> and crypt_gensalt_ra.
> 
> libxcrypt is intended to be used by login(1), passwd(1), and other
> similar programs; that is, to hash a small number of passwords
> during an interactive authentication dialogue with a human.  It is
> not suitable for use in bulk password-cracking applications, or in
> any other situation where speed is more important than careful
> handling of sensitive data.  However, it is intended to be fast and
> lightweight enough for use in servers that must field thousands of
> login attempts per minute.
> 
> Signed-off-by: Björn Esser <bes@pengutronix.de>
> ---

It would be nice to have a log of changes between the patch revisions
here to make it easier for reviewers to tell what changed from the last
submission.

Regards,
Lucas


_______________________________________________
ptxdist mailing list
ptxdist@pengutronix.de

Re: [ptxdist] [PATCH v4] libxcrypt: new package

[Björn Esser]

Hi Lucas,

On Mo, 2019-09-23 at 12:12 +0200, Lucas Stach wrote:
> It would be nice to have a log of changes between the patch revisions
> here to make it easier for reviewers to tell what changed from the
> last submission.

It is located below the actual patch.

Cheers
Björn


_______________________________________________
ptxdist mailing list
ptxdist@pengutronix.de

[ptxdist] [PATCH v5] libxcrypt: new package

[Andreas Helmcke]

Also implement the needed logic to (optionally) replace
the libcrypt from the selected libc with libxcrypt.

libxcrypt is a modern library for one-way hashing of passwords.
It supports a wide variety of both modern and historical hashing
methods: yescrypt, gost-yescrypt, scrypt, bcrypt, sha512crypt,
sha256crypt, md5crypt, SunMD5, sha1crypt, NT, bsdicrypt, bigcrypt,
and descrypt. It provides the traditional Unix crypt and crypt_r
interfaces, as well as a set of extended interfaces pioneered by
Openwall Linux, crypt_rn, crypt_ra, crypt_gensalt, crypt_gensalt_rn,
and crypt_gensalt_ra.

libxcrypt is intended to be used by login(1), passwd(1), and other
similar programs; that is, to hash a small number of passwords
during an interactive authentication dialogue with a human.  It is
not suitable for use in bulk password-cracking applications, or in
any other situation where speed is more important than careful
handling of sensitive data.  However, it is intended to be fast and
lightweight enough for use in servers that must field thousands of
login attempts per minute.

Signed-off-by: Andreas Helmcke <ahe@helmcke.name>
---

v4 -> v5: (by Andreas Helmcke)
   - Update libxcrypt 4.4.10 -> 4.4.24
   - Changed download url to official tar, which does not need autoconf
   - Changed the config variable names to reflect menu structure
   - Corrected two typos

original work by Björn Esser :
v3 -> v4:
   - Update libxcrypt 4.4.9 -> 4.4.10

v2 -> v3:
   - Added 3 files that also needed minor adaptions and I forgot to add
     to the initial patch.

v1 -> v2:
   - Adapt the two remarks pointed out by Dennis Osterland



  rules/glibc.in       |   4 ++
  rules/libc.in        |   7 ++-
  rules/libcrypt.in    |  38 +++++++++++++++
  rules/libcrypt.make  |  16 ++++++
  rules/libxcrypt.in   | 114 +++++++++++++++++++++++++++++++++++++++++++
  rules/libxcrypt.make |  95 ++++++++++++++++++++++++++++++++++++
  rules/uclibc.in      |   4 ++
  7 files changed, 274 insertions(+), 4 deletions(-)
  create mode 100644 rules/libcrypt.in
  create mode 100644 rules/libcrypt.make
  create mode 100644 rules/libxcrypt.in
  create mode 100644 rules/libxcrypt.make

diff --git a/rules/glibc.in b/rules/glibc.in
index 16e5e84d1..1d1fa4980 100644
--- a/rules/glibc.in
+++ b/rules/glibc.in
@@ -79,12 +79,16 @@ config GLIBC_DL
           functionality you should probably use libtool instead. It is 
much more cross
           platform compatible than dlopen, etc. It also supports BeOS. 
See related links.

+if LIBC_CRYPT_NATIVE_CRYPT
+
  config GLIBC_CRYPT
         bool
         prompt "Install libcrypt"
         help
           The encryption/decryption library

+endif
+
  config GLIBC_UTIL
         bool
         prompt "Install libutil"
diff --git a/rules/libc.in b/rules/libc.in
index 1614affd9..01fe55af5 100644
--- a/rules/libc.in
+++ b/rules/libc.in
@@ -57,10 +57,9 @@ config LIBC_DL
         select GLIBC_DL                 if LIBC_GLIBC
         select UCLIBC_DL                if LIBC_UCLIBC

-config LIBC_CRYPT
-       bool
-       select GLIBC_CRYPT              if LIBC_GLIBC
-       select UCLIBC_CRYPT             if LIBC_UCLIBC
+#
+# LIBC_CRYPT is handled by rules/libcrypt.in.
+#

  config LIBC_UTIL
         bool
diff --git a/rules/libcrypt.in b/rules/libcrypt.in
new file mode 100644
index 000000000..117cb72a5
--- /dev/null
+++ b/rules/libcrypt.in
@@ -0,0 +1,38 @@
+## SECTION=core
+
+menuconfig LIBC_CRYPT
+       bool
+       prompt "POSIX crypt implementation    "
+       select LIBXCRYPT        if !LIBC_CRYPT_NATIVE_CRYPT
+       select LIBC_CRYPT_INTERNAL_CRYPT        if LIBC_CRYPT_NATIVE_CRYPT
+
+if LIBC_CRYPT
+
+choice
+       prompt "POSIX crypt implementation    "
+       default LIBC_CRYPT_NATIVE_CRYPT
+
+       config LIBC_CRYPT_NATIVE_CRYPT
+               bool
+               prompt "libc internal"
+               help
+                 This menu entry selects the basic libcrypt provided
+                 by the selected libc implementation of the system.
+
+       config LIBC_CRYPT_EXTENDED_CRYPT
+               bool
+               prompt "libxcrypt    "
+               help
+                 This menu entry selects the extended libcrypt
+                 implementation provided by the libxcrypt package.
+
+                 Please see "System Libraries" for the configuration
+                 options of libxcrypt.
+endchoice
+
+config LIBC_CRYPT_INTERNAL_CRYPT
+       bool
+       select GLIBC_CRYPT      if LIBC_GLIBC
+       select UCLIBC_CRYPT     if LIBC_UCLIBC
+
+endif
diff --git a/rules/libcrypt.make b/rules/libcrypt.make
new file mode 100644
index 000000000..6f1448fe0
--- /dev/null
+++ b/rules/libcrypt.make
@@ -0,0 +1,16 @@
+# -*-makefile-*-
+#
+# Copyright (C) 2019 by Bjoern Esser <bes@pengutronix.de>
+#
+# For further information about the PTXdist project and license conditions
+# see the README file.
+#
+
+#
+# We provide this package
+#
+PACKAGES-$(PTXCONF_LIBC_CRYPT) += libcrypt
+
+LIBCRYPT_LICENSE:= ignore
+
+# vim: syntax=make
diff --git a/rules/libxcrypt.in b/rules/libxcrypt.in
new file mode 100644
index 000000000..281dabde2
--- /dev/null
+++ b/rules/libxcrypt.in
@@ -0,0 +1,114 @@
+## SECTION=system_libraries
+
+menuconfig LIBXCRYPT
+       bool
+       prompt "libxcrypt                     "
+       depends on !LIBC_CRYPT_NATIVE_CRYPT
+       help
+         Extended crypt library for descrypt, md5crypt, bcrypt, and others.
+
+         libxcrypt is a modern library for one-way hashing of passwords.
+         It supports a wide variety of both modern and historical hashing
+         methods: yescrypt, gost-yescrypt, scrypt, bcrypt, sha512crypt,
+         sha256crypt, md5crypt, SunMD5, sha1crypt, NT, bsdicrypt, bigcrypt,
+         and descrypt.  It provides the traditional Unix crypt and crypt_r
+         interfaces, as well as a set of extended interfaces pioneered by
+         Openwall Linux, crypt_rn, crypt_ra, crypt_gensalt,
+         crypt_gensalt_rn, and crypt_gensalt_ra.
+
+         libxcrypt is intended to be used by login(1), passwd(1), and other
+         similar programs; that is, to hash a small number of passwords
+         during an interactive authentication dialogue with a human.  It is
+         not suitable for use in bulk password-cracking applications, or in
+         any other situation where speed is more important than careful
+         handling of sensitive data.  However, it is intended to be 
fast and
+         lightweight enough for use in servers that must field thousands of
+         login attempts per minute.
+
+if LIBXCRYPT
+
+config LIBXCRYPT_GLIBC_BINARY_COMPAT
+       bool
+       prompt "Enable full glibc binary compatibility"
+       help
+         When enabled, this option includes the interfaces for full binary
+         compatibility with glibc.
+
+         This setting only affects existing binaries; new programs cannot
+         be linked against them.
+
+if LIBXCRYPT_GLIBC_BINARY_COMPAT
+
+config LIBXCRYPT_OBSOLETE_STUBS
+       bool
+       prompt "Replace obsolete functions with non-functional stubs"
+       help
+         If enabled, this option replaces the obsolete APIs (fcrypt,
+         encrypt{,_r}, and setkey{,_r}) with stubs that set errno to
+         ENOSYS and return without performing any real operations.
+
+         For security reasons, the encrypt{,r} functions will also
+         overwrite their data-block argument with random bits.
+
+         The fcrypt function will also always return NULL-pointer.
+
+endif
+
+config LIBXCRYPT_BCRYPT_X
+       bool
+       prompt "Support for verifying weak bcrypt ($2x$) hashes"
+       help
+         The alternative prefix "$2x$" provides bug-compatibility with
+         crypt_blowfish 1.0.4 and earlier, which incorrectly processed
+         characters with the 8th bit set.
+
+config LIBXCRYPT_SHA1CRYPT
+       bool
+       prompt "sha1crypt ($sha1) hashing method"
+       help
+         A hash based on HMAC-SHA1.  Originally developed for NetBSD.
+
+         Enable this for compatibility with passphrases that have been
+         hashed on NetBSD.
+
+config LIBXCRYPT_SUNMD5
+       bool
+       prompt "SunMD5 ($md5) hashing method"
+       help
+         A hash based on the MD5 algorithm, with additional cleverness
+         to make precomputation difficult.
+
+         Enable this for full compatibility with passphrases that have
+         been hashed on Solaris.
+
+config LIBXCRYPT_NTHASH
+       bool
+       prompt "NTHASH ($3$) hashing method"
+       help
+         The hashing method used for network authentication in some
+         versions of the SMB/CIFS protocol.
+
+         Available, for cross-compatibility's sake, on FreeBSD.
+
+config LIBXCRYPT_BSDICRYPT
+       bool
+       prompt "bsdicrypt ($2x$) hashing method"
+       help
+         A weak extension of traditional DES, which eliminates the
+         length limit, increases the salt size, and makes the time
+         cost tunable.
+
+         It originates with BSDI and is also available on at least
+         NetBSD, OpenBSD, FreeBSD, and MacOSX.
+
+config LIBXCRYPT_BIGCRYPT
+       bool
+       prompt "bigcrypt hashing method"
+       help
+         A weak extension of traditional DES, available on some
+         System V-derived Unixes.  All it does is raise the length
+         limit from 8 to 128 characters, and it does this in a crude
+         way that allows attackers to guess chunks of a long passphrase
+         in parallel.
+
+endif
diff --git a/rules/libxcrypt.make b/rules/libxcrypt.make
new file mode 100644
index 000000000..266e42640
--- /dev/null
+++ b/rules/libxcrypt.make
@@ -0,0 +1,95 @@
+# -*-makefile-*-
+#
+# Copyright (C) 2019 by Bjoern Esser <bes@pengutronix.de>
+#
+# For further information about the PTXdist project and license conditions
+# see the README file.
+#
+
+#
+# We provide this package
+#
+PACKAGES-$(PTXCONF_LIBXCRYPT) += libxcrypt
+
+#
+# Paths and names
+#
+LIBXCRYPT_VERSION      := 4.4.28
+LIBXCRYPT_MD5          := 0b873e641ae201e5e7470cf791c0fe16
+LIBXCRYPT              := libxcrypt-$(LIBXCRYPT_VERSION)
+LIBXCRYPT_SUFFIX       := tar.xz
+LIBXCRYPT_URL          := 
https://github.com/besser82/libxcrypt/releases/download/v$(LIBXCRYPT_VERSION)/$(LIBXCRYPT).$(LIBXCRYPT_SUFFIX)
+LIBXCRYPT_SOURCE       := $(SRCDIR)/$(LIBXCRYPT).$(LIBXCRYPT_SUFFIX)
+LIBXCRYPT_DIR          := $(BUILDDIR)/$(LIBXCRYPT)
+LIBXCRYPT_LICENSE      := LGPL-2.1-or-later AND BSD-3-Clause AND 
BSD-2-Clause AND 0BSD AND public_domain
+LIBXCRYPT_LICENSE_MD5  := 
file://LICENSING;md5=3bb6614cf5880cbf1b9dbd9e3d145e2c
+
+# 
----------------------------------------------------------------------------
+# Prepare
+# 
----------------------------------------------------------------------------
+
+#
+# options
+#
+
+# Hash methods enabled by default.
+HASH_METHODS := glibc,strong
+
+ifdef PTXCONF_LIBXCRYPT_BCRYPT_X
+HASH_METHODS := $(HASH_METHODS),bcrypt_x
+endif
+
+ifdef PTXCONF_LIBXCRYPT_SHA1CRYPT
+HASH_METHODS := $(HASH_METHODS),sha1crypt
+endif
+
+ifdef PTXCONF_LIBXCRYPT_SUNMD5
+HASH_METHODS := $(HASH_METHODS),sunmd5
+endif
+
+ifdef PTXCONF_LIBXCRYPT_NTHASH
+HASH_METHODS := $(HASH_METHODS),nt
+endif
+
+ifdef PTXCONF_LIBXCRYPT_BSDICRYPT
+HASH_METHODS := $(HASH_METHODS),bsdicrypt
+endif
+
+ifdef PTXCONF_LIBXCRYPT_BIGCRYPT
+HASH_METHODS := $(HASH_METHODS),bigcrypt
+endif
+
+#
+# autoconf
+#
+LIBXCRYPT_CONF_TOOL    := autoconf
+LIBXCRYPT_CONF_OPT     := \
+       $(CROSS_AUTOCONF_USR) \
+       --disable-failure-tokens \
+       --disable-static \
+       --disable-valgrind \
+       --enable-obsolete-api=$(call 
ptx/ifdef,PTXCONF_LIBXCRYPT_GLIBC_BINARY_COMPAT,glibc,no) \
+       --enable-obsolete-api-enosys=$(call 
ptx/ifdef,PTXCONF_LIBXCRYPT_OBSOLETE_STUBS,yes,no) \
+       --enable-hashes=$(HASH_METHODS) \
+       --enable-xcrypt-compat-files
+
+# 
----------------------------------------------------------------------------
+# Target-Install
+# 
----------------------------------------------------------------------------
+
+$(STATEDIR)/libxcrypt.targetinstall:
+       @$(call targetinfo)
+
+       @$(call install_init, libxcrypt)
+       @$(call install_fixup, libxcrypt,PRIORITY,optional)
+       @$(call install_fixup, libxcrypt,SECTION,base)
+       @$(call install_fixup, libxcrypt,AUTHOR,"Bjoern Esser 
<bes@pengutronix.de>")
+       @$(call install_fixup, libxcrypt,DESCRIPTION,Extended crypt library)
+
+       @$(call install_lib, libxcrypt, 0, 0, 0644, libcrypt)
+
+       @$(call install_finish, libxcrypt)
+
+       @$(call touch)
+
+# vim: syntax=make
diff --git a/rules/uclibc.in b/rules/uclibc.in
index 1fa99eba5..ee9cb0f34 100644
--- a/rules/uclibc.in
+++ b/rules/uclibc.in
@@ -24,12 +24,16 @@ config UCLIBC_C

           Better not turn this option off..

+if LIBC_CRYPT_NATIVE_CRYPT
+
  config UCLIBC_CRYPT
         bool
         prompt "Install libcrypt"
         help
           The encryption/decryption library

+endif
+
  config UCLIBC_DL
         bool
         prompt "Install libdl"
-- 
2.34.1

Re: [ptxdist] [PATCH v5] libxcrypt: new package

[Alexander Dahl]

Hello Andreas,

Am Wed, May 04, 2022 at 06:58:10PM +0200 schrieb Andreas Helmcke:
> Also implement the needed logic to (optionally) replace
> the libcrypt from the selected libc with libxcrypt.
> 
> libxcrypt is a modern library for one-way hashing of passwords.
> It supports a wide variety of both modern and historical hashing
> methods: yescrypt, gost-yescrypt, scrypt, bcrypt, sha512crypt,
> sha256crypt, md5crypt, SunMD5, sha1crypt, NT, bsdicrypt, bigcrypt,
> and descrypt. It provides the traditional Unix crypt and crypt_r
> interfaces, as well as a set of extended interfaces pioneered by
> Openwall Linux, crypt_rn, crypt_ra, crypt_gensalt, crypt_gensalt_rn,
> and crypt_gensalt_ra.
> 
> libxcrypt is intended to be used by login(1), passwd(1), and other
> similar programs; that is, to hash a small number of passwords
> during an interactive authentication dialogue with a human.  It is
> not suitable for use in bulk password-cracking applications, or in
> any other situation where speed is more important than careful
> handling of sensitive data.  However, it is intended to be fast and
> lightweight enough for use in servers that must field thousands of
> login attempts per minute.
> 
> Signed-off-by: Andreas Helmcke <ahe@helmcke.name>
> ---
> 
> v4 -> v5: (by Andreas Helmcke)
>   - Update libxcrypt 4.4.10 -> 4.4.24
>   - Changed download url to official tar, which does not need autoconf
>   - Changed the config variable names to reflect menu structure
>   - Corrected two typos
> 
> original work by Björn Esser :

You might want to add a "Co-authored-by: …" line to your commit
message then to give credit to previous work.

Greets
Alex

> v3 -> v4:
>   - Update libxcrypt 4.4.9 -> 4.4.10
> 
> v2 -> v3:
>   - Added 3 files that also needed minor adaptions and I forgot to add
>     to the initial patch.
> 
> v1 -> v2:
>   - Adapt the two remarks pointed out by Dennis Osterland
> 
> 
> 
>  rules/glibc.in       |   4 ++
>  rules/libc.in        |   7 ++-
>  rules/libcrypt.in    |  38 +++++++++++++++
>  rules/libcrypt.make  |  16 ++++++
>  rules/libxcrypt.in   | 114 +++++++++++++++++++++++++++++++++++++++++++
>  rules/libxcrypt.make |  95 ++++++++++++++++++++++++++++++++++++
>  rules/uclibc.in      |   4 ++
>  7 files changed, 274 insertions(+), 4 deletions(-)
>  create mode 100644 rules/libcrypt.in
>  create mode 100644 rules/libcrypt.make
>  create mode 100644 rules/libxcrypt.in
>  create mode 100644 rules/libxcrypt.make
> 
> diff --git a/rules/glibc.in b/rules/glibc.in
> index 16e5e84d1..1d1fa4980 100644
> --- a/rules/glibc.in
> +++ b/rules/glibc.in
> @@ -79,12 +79,16 @@ config GLIBC_DL
>           functionality you should probably use libtool instead. It is much
> more cross
>           platform compatible than dlopen, etc. It also supports BeOS. See
> related links.
> 
> +if LIBC_CRYPT_NATIVE_CRYPT
> +
>  config GLIBC_CRYPT
>         bool
>         prompt "Install libcrypt"
>         help
>           The encryption/decryption library
> 
> +endif
> +
>  config GLIBC_UTIL
>         bool
>         prompt "Install libutil"
> diff --git a/rules/libc.in b/rules/libc.in
> index 1614affd9..01fe55af5 100644
> --- a/rules/libc.in
> +++ b/rules/libc.in
> @@ -57,10 +57,9 @@ config LIBC_DL
>         select GLIBC_DL                 if LIBC_GLIBC
>         select UCLIBC_DL                if LIBC_UCLIBC
> 
> -config LIBC_CRYPT
> -       bool
> -       select GLIBC_CRYPT              if LIBC_GLIBC
> -       select UCLIBC_CRYPT             if LIBC_UCLIBC
> +#
> +# LIBC_CRYPT is handled by rules/libcrypt.in.
> +#
> 
>  config LIBC_UTIL
>         bool
> diff --git a/rules/libcrypt.in b/rules/libcrypt.in
> new file mode 100644
> index 000000000..117cb72a5
> --- /dev/null
> +++ b/rules/libcrypt.in
> @@ -0,0 +1,38 @@
> +## SECTION=core
> +
> +menuconfig LIBC_CRYPT
> +       bool
> +       prompt "POSIX crypt implementation    "
> +       select LIBXCRYPT        if !LIBC_CRYPT_NATIVE_CRYPT
> +       select LIBC_CRYPT_INTERNAL_CRYPT        if LIBC_CRYPT_NATIVE_CRYPT
> +
> +if LIBC_CRYPT
> +
> +choice
> +       prompt "POSIX crypt implementation    "
> +       default LIBC_CRYPT_NATIVE_CRYPT
> +
> +       config LIBC_CRYPT_NATIVE_CRYPT
> +               bool
> +               prompt "libc internal"
> +               help
> +                 This menu entry selects the basic libcrypt provided
> +                 by the selected libc implementation of the system.
> +
> +       config LIBC_CRYPT_EXTENDED_CRYPT
> +               bool
> +               prompt "libxcrypt    "
> +               help
> +                 This menu entry selects the extended libcrypt
> +                 implementation provided by the libxcrypt package.
> +
> +                 Please see "System Libraries" for the configuration
> +                 options of libxcrypt.
> +endchoice
> +
> +config LIBC_CRYPT_INTERNAL_CRYPT
> +       bool
> +       select GLIBC_CRYPT      if LIBC_GLIBC
> +       select UCLIBC_CRYPT     if LIBC_UCLIBC
> +
> +endif
> diff --git a/rules/libcrypt.make b/rules/libcrypt.make
> new file mode 100644
> index 000000000..6f1448fe0
> --- /dev/null
> +++ b/rules/libcrypt.make
> @@ -0,0 +1,16 @@
> +# -*-makefile-*-
> +#
> +# Copyright (C) 2019 by Bjoern Esser <bes@pengutronix.de>
> +#
> +# For further information about the PTXdist project and license conditions
> +# see the README file.
> +#
> +
> +#
> +# We provide this package
> +#
> +PACKAGES-$(PTXCONF_LIBC_CRYPT) += libcrypt
> +
> +LIBCRYPT_LICENSE:= ignore
> +
> +# vim: syntax=make
> diff --git a/rules/libxcrypt.in b/rules/libxcrypt.in
> new file mode 100644
> index 000000000..281dabde2
> --- /dev/null
> +++ b/rules/libxcrypt.in
> @@ -0,0 +1,114 @@
> +## SECTION=system_libraries
> +
> +menuconfig LIBXCRYPT
> +       bool
> +       prompt "libxcrypt                     "
> +       depends on !LIBC_CRYPT_NATIVE_CRYPT
> +       help
> +         Extended crypt library for descrypt, md5crypt, bcrypt, and others.
> +
> +         libxcrypt is a modern library for one-way hashing of passwords.
> +         It supports a wide variety of both modern and historical hashing
> +         methods: yescrypt, gost-yescrypt, scrypt, bcrypt, sha512crypt,
> +         sha256crypt, md5crypt, SunMD5, sha1crypt, NT, bsdicrypt, bigcrypt,
> +         and descrypt.  It provides the traditional Unix crypt and crypt_r
> +         interfaces, as well as a set of extended interfaces pioneered by
> +         Openwall Linux, crypt_rn, crypt_ra, crypt_gensalt,
> +         crypt_gensalt_rn, and crypt_gensalt_ra.
> +
> +         libxcrypt is intended to be used by login(1), passwd(1), and other
> +         similar programs; that is, to hash a small number of passwords
> +         during an interactive authentication dialogue with a human.  It is
> +         not suitable for use in bulk password-cracking applications, or in
> +         any other situation where speed is more important than careful
> +         handling of sensitive data.  However, it is intended to be fast
> and
> +         lightweight enough for use in servers that must field thousands of
> +         login attempts per minute.
> +
> +if LIBXCRYPT
> +
> +config LIBXCRYPT_GLIBC_BINARY_COMPAT
> +       bool
> +       prompt "Enable full glibc binary compatibility"
> +       help
> +         When enabled, this option includes the interfaces for full binary
> +         compatibility with glibc.
> +
> +         This setting only affects existing binaries; new programs cannot
> +         be linked against them.
> +
> +if LIBXCRYPT_GLIBC_BINARY_COMPAT
> +
> +config LIBXCRYPT_OBSOLETE_STUBS
> +       bool
> +       prompt "Replace obsolete functions with non-functional stubs"
> +       help
> +         If enabled, this option replaces the obsolete APIs (fcrypt,
> +         encrypt{,_r}, and setkey{,_r}) with stubs that set errno to
> +         ENOSYS and return without performing any real operations.
> +
> +         For security reasons, the encrypt{,r} functions will also
> +         overwrite their data-block argument with random bits.
> +
> +         The fcrypt function will also always return NULL-pointer.
> +
> +endif
> +
> +config LIBXCRYPT_BCRYPT_X
> +       bool
> +       prompt "Support for verifying weak bcrypt ($2x$) hashes"
> +       help
> +         The alternative prefix "$2x$" provides bug-compatibility with
> +         crypt_blowfish 1.0.4 and earlier, which incorrectly processed
> +         characters with the 8th bit set.
> +
> +config LIBXCRYPT_SHA1CRYPT
> +       bool
> +       prompt "sha1crypt ($sha1) hashing method"
> +       help
> +         A hash based on HMAC-SHA1.  Originally developed for NetBSD.
> +
> +         Enable this for compatibility with passphrases that have been
> +         hashed on NetBSD.
> +
> +config LIBXCRYPT_SUNMD5
> +       bool
> +       prompt "SunMD5 ($md5) hashing method"
> +       help
> +         A hash based on the MD5 algorithm, with additional cleverness
> +         to make precomputation difficult.
> +
> +         Enable this for full compatibility with passphrases that have
> +         been hashed on Solaris.
> +
> +config LIBXCRYPT_NTHASH
> +       bool
> +       prompt "NTHASH ($3$) hashing method"
> +       help
> +         The hashing method used for network authentication in some
> +         versions of the SMB/CIFS protocol.
> +
> +         Available, for cross-compatibility's sake, on FreeBSD.
> +
> +config LIBXCRYPT_BSDICRYPT
> +       bool
> +       prompt "bsdicrypt ($2x$) hashing method"
> +       help
> +         A weak extension of traditional DES, which eliminates the
> +         length limit, increases the salt size, and makes the time
> +         cost tunable.
> +
> +         It originates with BSDI and is also available on at least
> +         NetBSD, OpenBSD, FreeBSD, and MacOSX.
> +
> +config LIBXCRYPT_BIGCRYPT
> +       bool
> +       prompt "bigcrypt hashing method"
> +       help
> +         A weak extension of traditional DES, available on some
> +         System V-derived Unixes.  All it does is raise the length
> +         limit from 8 to 128 characters, and it does this in a crude
> +         way that allows attackers to guess chunks of a long passphrase
> +         in parallel.
> +
> +endif
> diff --git a/rules/libxcrypt.make b/rules/libxcrypt.make
> new file mode 100644
> index 000000000..266e42640
> --- /dev/null
> +++ b/rules/libxcrypt.make
> @@ -0,0 +1,95 @@
> +# -*-makefile-*-
> +#
> +# Copyright (C) 2019 by Bjoern Esser <bes@pengutronix.de>
> +#
> +# For further information about the PTXdist project and license conditions
> +# see the README file.
> +#
> +
> +#
> +# We provide this package
> +#
> +PACKAGES-$(PTXCONF_LIBXCRYPT) += libxcrypt
> +
> +#
> +# Paths and names
> +#
> +LIBXCRYPT_VERSION      := 4.4.28
> +LIBXCRYPT_MD5          := 0b873e641ae201e5e7470cf791c0fe16
> +LIBXCRYPT              := libxcrypt-$(LIBXCRYPT_VERSION)
> +LIBXCRYPT_SUFFIX       := tar.xz
> +LIBXCRYPT_URL          := https://github.com/besser82/libxcrypt/releases/download/v$(LIBXCRYPT_VERSION)/$(LIBXCRYPT).$(LIBXCRYPT_SUFFIX)
> +LIBXCRYPT_SOURCE       := $(SRCDIR)/$(LIBXCRYPT).$(LIBXCRYPT_SUFFIX)
> +LIBXCRYPT_DIR          := $(BUILDDIR)/$(LIBXCRYPT)
> +LIBXCRYPT_LICENSE      := LGPL-2.1-or-later AND BSD-3-Clause AND
> BSD-2-Clause AND 0BSD AND public_domain
> +LIBXCRYPT_LICENSE_MD5  :=
> file://LICENSING;md5=3bb6614cf5880cbf1b9dbd9e3d145e2c
> +
> +#
> ----------------------------------------------------------------------------
> +# Prepare
> +#
> ----------------------------------------------------------------------------
> +
> +#
> +# options
> +#
> +
> +# Hash methods enabled by default.
> +HASH_METHODS := glibc,strong
> +
> +ifdef PTXCONF_LIBXCRYPT_BCRYPT_X
> +HASH_METHODS := $(HASH_METHODS),bcrypt_x
> +endif
> +
> +ifdef PTXCONF_LIBXCRYPT_SHA1CRYPT
> +HASH_METHODS := $(HASH_METHODS),sha1crypt
> +endif
> +
> +ifdef PTXCONF_LIBXCRYPT_SUNMD5
> +HASH_METHODS := $(HASH_METHODS),sunmd5
> +endif
> +
> +ifdef PTXCONF_LIBXCRYPT_NTHASH
> +HASH_METHODS := $(HASH_METHODS),nt
> +endif
> +
> +ifdef PTXCONF_LIBXCRYPT_BSDICRYPT
> +HASH_METHODS := $(HASH_METHODS),bsdicrypt
> +endif
> +
> +ifdef PTXCONF_LIBXCRYPT_BIGCRYPT
> +HASH_METHODS := $(HASH_METHODS),bigcrypt
> +endif
> +
> +#
> +# autoconf
> +#
> +LIBXCRYPT_CONF_TOOL    := autoconf
> +LIBXCRYPT_CONF_OPT     := \
> +       $(CROSS_AUTOCONF_USR) \
> +       --disable-failure-tokens \
> +       --disable-static \
> +       --disable-valgrind \
> +       --enable-obsolete-api=$(call
> ptx/ifdef,PTXCONF_LIBXCRYPT_GLIBC_BINARY_COMPAT,glibc,no) \
> +       --enable-obsolete-api-enosys=$(call
> ptx/ifdef,PTXCONF_LIBXCRYPT_OBSOLETE_STUBS,yes,no) \
> +       --enable-hashes=$(HASH_METHODS) \
> +       --enable-xcrypt-compat-files
> +
> +#
> ----------------------------------------------------------------------------
> +# Target-Install
> +#
> ----------------------------------------------------------------------------
> +
> +$(STATEDIR)/libxcrypt.targetinstall:
> +       @$(call targetinfo)
> +
> +       @$(call install_init, libxcrypt)
> +       @$(call install_fixup, libxcrypt,PRIORITY,optional)
> +       @$(call install_fixup, libxcrypt,SECTION,base)
> +       @$(call install_fixup, libxcrypt,AUTHOR,"Bjoern Esser
> <bes@pengutronix.de>")
> +       @$(call install_fixup, libxcrypt,DESCRIPTION,Extended crypt library)
> +
> +       @$(call install_lib, libxcrypt, 0, 0, 0644, libcrypt)
> +
> +       @$(call install_finish, libxcrypt)
> +
> +       @$(call touch)
> +
> +# vim: syntax=make
> diff --git a/rules/uclibc.in b/rules/uclibc.in
> index 1fa99eba5..ee9cb0f34 100644
> --- a/rules/uclibc.in
> +++ b/rules/uclibc.in
> @@ -24,12 +24,16 @@ config UCLIBC_C
> 
>           Better not turn this option off..
> 
> +if LIBC_CRYPT_NATIVE_CRYPT
> +
>  config UCLIBC_CRYPT
>         bool
>         prompt "Install libcrypt"
>         help
>           The encryption/decryption library
> 
> +endif
> +
>  config UCLIBC_DL
>         bool
>         prompt "Install libdl"
> -- 
> 2.34.1
> 

[ptxdist] [PATCH v6] libxcrypt: new package

[Andreas Helmcke]

Also implement the needed logic to (optionally) replace
the libcrypt from the selected libc with libxcrypt.

libxcrypt is a modern library for one-way hashing of passwords.
It supports a wide variety of both modern and historical hashing
methods: yescrypt, gost-yescrypt, scrypt, bcrypt, sha512crypt,
sha256crypt, md5crypt, SunMD5, sha1crypt, NT, bsdicrypt, bigcrypt,
and descrypt. It provides the traditional Unix crypt and crypt_r
interfaces, as well as a set of extended interfaces pioneered by
Openwall Linux, crypt_rn, crypt_ra, crypt_gensalt, crypt_gensalt_rn,
and crypt_gensalt_ra.

libxcrypt is intended to be used by login(1), passwd(1), and other
similar programs; that is, to hash a small number of passwords
during an interactive authentication dialogue with a human.  It is
not suitable for use in bulk password-cracking applications, or in
any other situation where speed is more important than careful
handling of sensitive data.  However, it is intended to be fast and
lightweight enough for use in servers that must field thousands of
login attempts per minute.

Co-authored-by: Andreas Helmcke <ahe@helmcke.name>
Signed-off-by: Andreas Helmcke <ahe@helmcke.name>
Signed-off-by: Björn Esser <bes@pengutronix.de>
---

v5 -> v6: (by Andreas Helmcke)
   - Updated commit message to properly address authors

v4 -> v5: (by Andreas Helmcke)
   - Update libxcrypt 4.4.10 -> 4.4.24
   - Changed download url to official tar, which does not need autoconf
   - Changed the config variable names to reflect menu structure
   - Corrected two typos

original work by Björn Esser :
v3 -> v4:
   - Update libxcrypt 4.4.9 -> 4.4.10

v2 -> v3:
   - Added 3 files that also needed minor adaptions and I forgot to add
     to the initial patch.

v1 -> v2:
   - Adapt the two remarks pointed out by Dennis Osterland



  rules/glibc.in       |   4 ++
  rules/libc.in        |   7 ++-
  rules/libcrypt.in    |  38 +++++++++++++++
  rules/libcrypt.make  |  16 ++++++
  rules/libxcrypt.in   | 114 +++++++++++++++++++++++++++++++++++++++++++
  rules/libxcrypt.make |  95 ++++++++++++++++++++++++++++++++++++
  rules/uclibc.in      |   4 ++
  7 files changed, 274 insertions(+), 4 deletions(-)
  create mode 100644 rules/libcrypt.in
  create mode 100644 rules/libcrypt.make
  create mode 100644 rules/libxcrypt.in
  create mode 100644 rules/libxcrypt.make

diff --git a/rules/glibc.in b/rules/glibc.in
index 16e5e84d1..1d1fa4980 100644
--- a/rules/glibc.in
+++ b/rules/glibc.in
@@ -79,12 +79,16 @@ config GLIBC_DL
           functionality you should probably use libtool instead. It is 
much more cross
           platform compatible than dlopen, etc. It also supports BeOS. 
See related links.

+if LIBC_CRYPT_NATIVE_CRYPT
+
  config GLIBC_CRYPT
         bool
         prompt "Install libcrypt"
         help
           The encryption/decryption library

+endif
+
  config GLIBC_UTIL
         bool
         prompt "Install libutil"
diff --git a/rules/libc.in b/rules/libc.in
index 1614affd9..01fe55af5 100644
--- a/rules/libc.in
+++ b/rules/libc.in
@@ -57,10 +57,9 @@ config LIBC_DL
         select GLIBC_DL                 if LIBC_GLIBC
         select UCLIBC_DL                if LIBC_UCLIBC

-config LIBC_CRYPT
-       bool
-       select GLIBC_CRYPT              if LIBC_GLIBC
-       select UCLIBC_CRYPT             if LIBC_UCLIBC
+#
+# LIBC_CRYPT is handled by rules/libcrypt.in.
+#

  config LIBC_UTIL
         bool
diff --git a/rules/libcrypt.in b/rules/libcrypt.in
new file mode 100644
index 000000000..117cb72a5
--- /dev/null
+++ b/rules/libcrypt.in
@@ -0,0 +1,38 @@
+## SECTION=core
+
+menuconfig LIBC_CRYPT
+       bool
+       prompt "POSIX crypt implementation    "
+       select LIBXCRYPT        if !LIBC_CRYPT_NATIVE_CRYPT
+       select LIBC_CRYPT_INTERNAL_CRYPT        if LIBC_CRYPT_NATIVE_CRYPT
+
+if LIBC_CRYPT
+
+choice
+       prompt "POSIX crypt implementation    "
+       default LIBC_CRYPT_NATIVE_CRYPT
+
+       config LIBC_CRYPT_NATIVE_CRYPT
+               bool
+               prompt "libc internal"
+               help
+                 This menu entry selects the basic libcrypt provided
+                 by the selected libc implementation of the system.
+
+       config LIBC_CRYPT_EXTENDED_CRYPT
+               bool
+               prompt "libxcrypt    "
+               help
+                 This menu entry selects the extended libcrypt
+                 implementation provided by the libxcrypt package.
+
+                 Please see "System Libraries" for the configuration
+                 options of libxcrypt.
+endchoice
+
+config LIBC_CRYPT_INTERNAL_CRYPT
+       bool
+       select GLIBC_CRYPT      if LIBC_GLIBC
+       select UCLIBC_CRYPT     if LIBC_UCLIBC
+
+endif
diff --git a/rules/libcrypt.make b/rules/libcrypt.make
new file mode 100644
index 000000000..6f1448fe0
--- /dev/null
+++ b/rules/libcrypt.make
@@ -0,0 +1,16 @@
+# -*-makefile-*-
+#
+# Copyright (C) 2019 by Bjoern Esser <bes@pengutronix.de>
+#
+# For further information about the PTXdist project and license conditions
+# see the README file.
+#
+
+#
+# We provide this package
+#
+PACKAGES-$(PTXCONF_LIBC_CRYPT) += libcrypt
+
+LIBCRYPT_LICENSE:= ignore
+
+# vim: syntax=make
diff --git a/rules/libxcrypt.in b/rules/libxcrypt.in
new file mode 100644
index 000000000..281dabde2
--- /dev/null
+++ b/rules/libxcrypt.in
@@ -0,0 +1,114 @@
+## SECTION=system_libraries
+
+menuconfig LIBXCRYPT
+       bool
+       prompt "libxcrypt                     "
+       depends on !LIBC_CRYPT_NATIVE_CRYPT
+       help
+         Extended crypt library for descrypt, md5crypt, bcrypt, and others.
+
+         libxcrypt is a modern library for one-way hashing of passwords.
+         It supports a wide variety of both modern and historical hashing
+         methods: yescrypt, gost-yescrypt, scrypt, bcrypt, sha512crypt,
+         sha256crypt, md5crypt, SunMD5, sha1crypt, NT, bsdicrypt, bigcrypt,
+         and descrypt.  It provides the traditional Unix crypt and crypt_r
+         interfaces, as well as a set of extended interfaces pioneered by
+         Openwall Linux, crypt_rn, crypt_ra, crypt_gensalt,
+         crypt_gensalt_rn, and crypt_gensalt_ra.
+
+         libxcrypt is intended to be used by login(1), passwd(1), and other
+         similar programs; that is, to hash a small number of passwords
+         during an interactive authentication dialogue with a human.  It is
+         not suitable for use in bulk password-cracking applications, or in
+         any other situation where speed is more important than careful
+         handling of sensitive data.  However, it is intended to be 
fast and
+         lightweight enough for use in servers that must field thousands of
+         login attempts per minute.
+
+if LIBXCRYPT
+
+config LIBXCRYPT_GLIBC_BINARY_COMPAT
+       bool
+       prompt "Enable full glibc binary compatibility"
+       help
+         When enabled, this option includes the interfaces for full binary
+         compatibility with glibc.
+
+         This setting only affects existing binaries; new programs cannot
+         be linked against them.
+
+if LIBXCRYPT_GLIBC_BINARY_COMPAT
+
+config LIBXCRYPT_OBSOLETE_STUBS
+       bool
+       prompt "Replace obsolete functions with non-functional stubs"
+       help
+         If enabled, this option replaces the obsolete APIs (fcrypt,
+         encrypt{,_r}, and setkey{,_r}) with stubs that set errno to
+         ENOSYS and return without performing any real operations.
+
+         For security reasons, the encrypt{,r} functions will also
+         overwrite their data-block argument with random bits.
+
+         The fcrypt function will also always return NULL-pointer.
+
+endif
+
+config LIBXCRYPT_BCRYPT_X
+       bool
+       prompt "Support for verifying weak bcrypt ($2x$) hashes"
+       help
+         The alternative prefix "$2x$" provides bug-compatibility with
+         crypt_blowfish 1.0.4 and earlier, which incorrectly processed
+         characters with the 8th bit set.
+
+config LIBXCRYPT_SHA1CRYPT
+       bool
+       prompt "sha1crypt ($sha1) hashing method"
+       help
+         A hash based on HMAC-SHA1.  Originally developed for NetBSD.
+
+         Enable this for compatibility with passphrases that have been
+         hashed on NetBSD.
+
+config LIBXCRYPT_SUNMD5
+       bool
+       prompt "SunMD5 ($md5) hashing method"
+       help
+         A hash based on the MD5 algorithm, with additional cleverness
+         to make precomputation difficult.
+
+         Enable this for full compatibility with passphrases that have
+         been hashed on Solaris.
+
+config LIBXCRYPT_NTHASH
+       bool
+       prompt "NTHASH ($3$) hashing method"
+       help
+         The hashing method used for network authentication in some
+         versions of the SMB/CIFS protocol.
+
+         Available, for cross-compatibility's sake, on FreeBSD.
+
+config LIBXCRYPT_BSDICRYPT
+       bool
+       prompt "bsdicrypt ($2x$) hashing method"
+       help
+         A weak extension of traditional DES, which eliminates the
+         length limit, increases the salt size, and makes the time
+         cost tunable.
+
+         It originates with BSDI and is also available on at least
+         NetBSD, OpenBSD, FreeBSD, and MacOSX.
+
+config LIBXCRYPT_BIGCRYPT
+       bool
+       prompt "bigcrypt hashing method"
+       help
+         A weak extension of traditional DES, available on some
+         System V-derived Unixes.  All it does is raise the length
+         limit from 8 to 128 characters, and it does this in a crude
+         way that allows attackers to guess chunks of a long passphrase
+         in parallel.
+
+endif
diff --git a/rules/libxcrypt.make b/rules/libxcrypt.make
new file mode 100644
index 000000000..266e42640
--- /dev/null
+++ b/rules/libxcrypt.make
@@ -0,0 +1,95 @@
+# -*-makefile-*-
+#
+# Copyright (C) 2019 by Bjoern Esser <bes@pengutronix.de>
+#
+# For further information about the PTXdist project and license conditions
+# see the README file.
+#
+
+#
+# We provide this package
+#
+PACKAGES-$(PTXCONF_LIBXCRYPT) += libxcrypt
+
+#
+# Paths and names
+#
+LIBXCRYPT_VERSION      := 4.4.28
+LIBXCRYPT_MD5          := 0b873e641ae201e5e7470cf791c0fe16
+LIBXCRYPT              := libxcrypt-$(LIBXCRYPT_VERSION)
+LIBXCRYPT_SUFFIX       := tar.xz
+LIBXCRYPT_URL          := 
https://github.com/besser82/libxcrypt/releases/download/v$(LIBXCRYPT_VERSION)/$(LIBXCRYPT).$(LIBXCRYPT_SUFFIX)
+LIBXCRYPT_SOURCE       := $(SRCDIR)/$(LIBXCRYPT).$(LIBXCRYPT_SUFFIX)
+LIBXCRYPT_DIR          := $(BUILDDIR)/$(LIBXCRYPT)
+LIBXCRYPT_LICENSE      := LGPL-2.1-or-later AND BSD-3-Clause AND 
BSD-2-Clause AND 0BSD AND public_domain
+LIBXCRYPT_LICENSE_MD5  := 
file://LICENSING;md5=3bb6614cf5880cbf1b9dbd9e3d145e2c
+
+# 
----------------------------------------------------------------------------
+# Prepare
+# 
----------------------------------------------------------------------------
+
+#
+# options
+#
+
+# Hash methods enabled by default.
+HASH_METHODS := glibc,strong
+
+ifdef PTXCONF_LIBXCRYPT_BCRYPT_X
+HASH_METHODS := $(HASH_METHODS),bcrypt_x
+endif
+
+ifdef PTXCONF_LIBXCRYPT_SHA1CRYPT
+HASH_METHODS := $(HASH_METHODS),sha1crypt
+endif
+
+ifdef PTXCONF_LIBXCRYPT_SUNMD5
+HASH_METHODS := $(HASH_METHODS),sunmd5
+endif
+
+ifdef PTXCONF_LIBXCRYPT_NTHASH
+HASH_METHODS := $(HASH_METHODS),nt
+endif
+
+ifdef PTXCONF_LIBXCRYPT_BSDICRYPT
+HASH_METHODS := $(HASH_METHODS),bsdicrypt
+endif
+
+ifdef PTXCONF_LIBXCRYPT_BIGCRYPT
+HASH_METHODS := $(HASH_METHODS),bigcrypt
+endif
+
+#
+# autoconf
+#
+LIBXCRYPT_CONF_TOOL    := autoconf
+LIBXCRYPT_CONF_OPT     := \
+       $(CROSS_AUTOCONF_USR) \
+       --disable-failure-tokens \
+       --disable-static \
+       --disable-valgrind \
+       --enable-obsolete-api=$(call 
ptx/ifdef,PTXCONF_LIBXCRYPT_GLIBC_BINARY_COMPAT,glibc,no) \
+       --enable-obsolete-api-enosys=$(call 
ptx/ifdef,PTXCONF_LIBXCRYPT_OBSOLETE_STUBS,yes,no) \
+       --enable-hashes=$(HASH_METHODS) \
+       --enable-xcrypt-compat-files
+
+# 
----------------------------------------------------------------------------
+# Target-Install
+# 
----------------------------------------------------------------------------
+
+$(STATEDIR)/libxcrypt.targetinstall:
+       @$(call targetinfo)
+
+       @$(call install_init, libxcrypt)
+       @$(call install_fixup, libxcrypt,PRIORITY,optional)
+       @$(call install_fixup, libxcrypt,SECTION,base)
+       @$(call install_fixup, libxcrypt,AUTHOR,"Bjoern Esser 
<bes@pengutronix.de>")
+       @$(call install_fixup, libxcrypt,DESCRIPTION,Extended crypt library)
+
+       @$(call install_lib, libxcrypt, 0, 0, 0644, libcrypt)
+
+       @$(call install_finish, libxcrypt)
+
+       @$(call touch)
+
+# vim: syntax=make
diff --git a/rules/uclibc.in b/rules/uclibc.in
index 1fa99eba5..ee9cb0f34 100644
--- a/rules/uclibc.in
+++ b/rules/uclibc.in
@@ -24,12 +24,16 @@ config UCLIBC_C

           Better not turn this option off..

+if LIBC_CRYPT_NATIVE_CRYPT
+
  config UCLIBC_CRYPT
         bool
         prompt "Install libcrypt"
         help
           The encryption/decryption library

+endif
+
  config UCLIBC_DL
         bool
         prompt "Install libdl"
-- 
2.34.1

Re: [ptxdist] [PATCH v6] libxcrypt: new package

[Michael Olbrich]

Hi,

On Thu, May 05, 2022 at 02:46:20PM +0200, Andreas Helmcke wrote:
> Also implement the needed logic to (optionally) replace
> the libcrypt from the selected libc with libxcrypt.
> 
> libxcrypt is a modern library for one-way hashing of passwords.
> It supports a wide variety of both modern and historical hashing
> methods: yescrypt, gost-yescrypt, scrypt, bcrypt, sha512crypt,
> sha256crypt, md5crypt, SunMD5, sha1crypt, NT, bsdicrypt, bigcrypt,
> and descrypt. It provides the traditional Unix crypt and crypt_r
> interfaces, as well as a set of extended interfaces pioneered by
> Openwall Linux, crypt_rn, crypt_ra, crypt_gensalt, crypt_gensalt_rn,
> and crypt_gensalt_ra.
> 
> libxcrypt is intended to be used by login(1), passwd(1), and other
> similar programs; that is, to hash a small number of passwords
> during an interactive authentication dialogue with a human.  It is
> not suitable for use in bulk password-cracking applications, or in
> any other situation where speed is more important than careful
> handling of sensitive data.  However, it is intended to be fast and
> lightweight enough for use in servers that must field thousands of
> login attempts per minute.

I think I need some more background to decide what the correct integration
is. From what I understand, the situation is like this:

1. libxcrypt is fully binary backwards compatible. So we don't need to
build it before building any packages that could use the libcrypt from
glibc.

2. libxcrypt provides additional functionality. So packages that want to
use this must have the correct dependencies.

If this is correct then we need some changes. Mixing 'select' and 'choice'
does not work properly with kconfig.


> Co-authored-by: Andreas Helmcke <ahe@helmcke.name>
> Signed-off-by: Andreas Helmcke <ahe@helmcke.name>
> Signed-off-by: Björn Esser <bes@pengutronix.de>
> ---
> 
> v5 -> v6: (by Andreas Helmcke)
>   - Updated commit message to properly address authors
> 
> v4 -> v5: (by Andreas Helmcke)
>   - Update libxcrypt 4.4.10 -> 4.4.24
>   - Changed download url to official tar, which does not need autoconf
>   - Changed the config variable names to reflect menu structure
>   - Corrected two typos
> 
> original work by Björn Esser :
> v3 -> v4:
>   - Update libxcrypt 4.4.9 -> 4.4.10
> 
> v2 -> v3:
>   - Added 3 files that also needed minor adaptions and I forgot to add
>     to the initial patch.
> 
> v1 -> v2:
>   - Adapt the two remarks pointed out by Dennis Osterland
> 
> 
> 
>  rules/glibc.in       |   4 ++
>  rules/libc.in        |   7 ++-
>  rules/libcrypt.in    |  38 +++++++++++++++
>  rules/libcrypt.make  |  16 ++++++
>  rules/libxcrypt.in   | 114 +++++++++++++++++++++++++++++++++++++++++++
>  rules/libxcrypt.make |  95 ++++++++++++++++++++++++++++++++++++
>  rules/uclibc.in      |   4 ++
>  7 files changed, 274 insertions(+), 4 deletions(-)
>  create mode 100644 rules/libcrypt.in
>  create mode 100644 rules/libcrypt.make
>  create mode 100644 rules/libxcrypt.in
>  create mode 100644 rules/libxcrypt.make
> 
> diff --git a/rules/glibc.in b/rules/glibc.in
> index 16e5e84d1..1d1fa4980 100644
> --- a/rules/glibc.in
> +++ b/rules/glibc.in
> @@ -79,12 +79,16 @@ config GLIBC_DL
>           functionality you should probably use libtool instead. It is much
> more cross
>           platform compatible than dlopen, etc. It also supports BeOS. See
> related links.
> 
> +if LIBC_CRYPT_NATIVE_CRYPT
> +
>  config GLIBC_CRYPT
>         bool
>         prompt "Install libcrypt"
>         help
>           The encryption/decryption library
> 
> +endif
> +
>  config GLIBC_UTIL
>         bool
>         prompt "Install libutil"
> diff --git a/rules/libc.in b/rules/libc.in
> index 1614affd9..01fe55af5 100644
> --- a/rules/libc.in
> +++ b/rules/libc.in
> @@ -57,10 +57,9 @@ config LIBC_DL
>         select GLIBC_DL                 if LIBC_GLIBC
>         select UCLIBC_DL                if LIBC_UCLIBC
> 
> -config LIBC_CRYPT
> -       bool
> -       select GLIBC_CRYPT              if LIBC_GLIBC
> -       select UCLIBC_CRYPT             if LIBC_UCLIBC

Keep this but with 'if LIBC_GLIBC && !LIBC_CRYPT_NATIVE_CRYPT' etc.

and define LIBC_CRYPT_NATIVE_CRYPT here with 'default !LIBXCRYPT' here.

> +#
> +# LIBC_CRYPT is handled by rules/libcrypt.in.
> +#
> 
>  config LIBC_UTIL
>         bool
> diff --git a/rules/libcrypt.in b/rules/libcrypt.in
> new file mode 100644
> index 000000000..117cb72a5
> --- /dev/null
> +++ b/rules/libcrypt.in
> @@ -0,0 +1,38 @@
> +## SECTION=core
> +
> +menuconfig LIBC_CRYPT
> +       bool
> +       prompt "POSIX crypt implementation    "
> +       select LIBXCRYPT        if !LIBC_CRYPT_NATIVE_CRYPT
> +       select LIBC_CRYPT_INTERNAL_CRYPT        if LIBC_CRYPT_NATIVE_CRYPT
> +
> +if LIBC_CRYPT
> +
> +choice
> +       prompt "POSIX crypt implementation    "
> +       default LIBC_CRYPT_NATIVE_CRYPT
> +
> +       config LIBC_CRYPT_NATIVE_CRYPT
> +               bool
> +               prompt "libc internal"
> +               help
> +                 This menu entry selects the basic libcrypt provided
> +                 by the selected libc implementation of the system.
> +
> +       config LIBC_CRYPT_EXTENDED_CRYPT
> +               bool
> +               prompt "libxcrypt    "
> +               help
> +                 This menu entry selects the extended libcrypt
> +                 implementation provided by the libxcrypt package.
> +
> +                 Please see "System Libraries" for the configuration
> +                 options of libxcrypt.
> +endchoice
> +
> +config LIBC_CRYPT_INTERNAL_CRYPT
> +       bool
> +       select GLIBC_CRYPT      if LIBC_GLIBC
> +       select UCLIBC_CRYPT     if LIBC_UCLIBC
> +
> +endif

drop this.

> diff --git a/rules/libcrypt.make b/rules/libcrypt.make
> new file mode 100644
> index 000000000..6f1448fe0
> --- /dev/null
> +++ b/rules/libcrypt.make
> @@ -0,0 +1,16 @@
> +# -*-makefile-*-
> +#
> +# Copyright (C) 2019 by Bjoern Esser <bes@pengutronix.de>
> +#
> +# For further information about the PTXdist project and license conditions
> +# see the README file.
> +#
> +
> +#
> +# We provide this package
> +#
> +PACKAGES-$(PTXCONF_LIBC_CRYPT) += libcrypt
> +
> +LIBCRYPT_LICENSE:= ignore
> +
> +# vim: syntax=make
> diff --git a/rules/libxcrypt.in b/rules/libxcrypt.in
> new file mode 100644
> index 000000000..281dabde2
> --- /dev/null
> +++ b/rules/libxcrypt.in
> @@ -0,0 +1,114 @@
> +## SECTION=system_libraries
> +
> +menuconfig LIBXCRYPT
> +       bool
> +       prompt "libxcrypt                     "
> +       depends on !LIBC_CRYPT_NATIVE_CRYPT

drop this line.

Now libxcrypt will be used as soon as it is manually selected or when a
package depends on it.

> +       help
> +         Extended crypt library for descrypt, md5crypt, bcrypt, and others.
> +
> +         libxcrypt is a modern library for one-way hashing of passwords.
> +         It supports a wide variety of both modern and historical hashing
> +         methods: yescrypt, gost-yescrypt, scrypt, bcrypt, sha512crypt,
> +         sha256crypt, md5crypt, SunMD5, sha1crypt, NT, bsdicrypt, bigcrypt,
> +         and descrypt.  It provides the traditional Unix crypt and crypt_r
> +         interfaces, as well as a set of extended interfaces pioneered by
> +         Openwall Linux, crypt_rn, crypt_ra, crypt_gensalt,
> +         crypt_gensalt_rn, and crypt_gensalt_ra.
> +
> +         libxcrypt is intended to be used by login(1), passwd(1), and other
> +         similar programs; that is, to hash a small number of passwords
> +         during an interactive authentication dialogue with a human.  It is
> +         not suitable for use in bulk password-cracking applications, or in
> +         any other situation where speed is more important than careful
> +         handling of sensitive data.  However, it is intended to be fast
> and
> +         lightweight enough for use in servers that must field thousands of
> +         login attempts per minute.
> +
> +if LIBXCRYPT
> +
> +config LIBXCRYPT_GLIBC_BINARY_COMPAT
> +       bool
> +       prompt "Enable full glibc binary compatibility"
> +       help
> +         When enabled, this option includes the interfaces for full binary
> +         compatibility with glibc.
> +
> +         This setting only affects existing binaries; new programs cannot
> +         be linked against them.

Right, this answers one of my questions. I think this should be always
enabled. Otherwise, we need to ensure, that all packages that use libcrypt
are built after libxcrypt and that's not trivial.
While we do have some 'select LIBCRYPT', its a best effort kind of thing
because it does not fail when it's missing.

If we replace libcrypt in the toolchain, then we can disable this.

> +
> +if LIBXCRYPT_GLIBC_BINARY_COMPAT
> +
> +config LIBXCRYPT_OBSOLETE_STUBS
> +       bool
> +       prompt "Replace obsolete functions with non-functional stubs"
> +       help
> +         If enabled, this option replaces the obsolete APIs (fcrypt,
> +         encrypt{,_r}, and setkey{,_r}) with stubs that set errno to
> +         ENOSYS and return without performing any real operations.
> +
> +         For security reasons, the encrypt{,r} functions will also
> +         overwrite their data-block argument with random bits.
> +
> +         The fcrypt function will also always return NULL-pointer.

Hmmm, disabling obsolete stuff is tempting but I'm not so sure if that
makes the system more secure. That would require proper error handling by
all users. I guess an option for this is ok.

> +
> +endif
> +
> +config LIBXCRYPT_BCRYPT_X
> +       bool
> +       prompt "Support for verifying weak bcrypt ($2x$) hashes"
> +       help
> +         The alternative prefix "$2x$" provides bug-compatibility with
> +         crypt_blowfish 1.0.4 and earlier, which incorrectly processed
> +         characters with the 8th bit set.
> +
> +config LIBXCRYPT_SHA1CRYPT
> +       bool
> +       prompt "sha1crypt ($sha1) hashing method"
> +       help
> +         A hash based on HMAC-SHA1.  Originally developed for NetBSD.
> +
> +         Enable this for compatibility with passphrases that have been
> +         hashed on NetBSD.
> +
> +config LIBXCRYPT_SUNMD5
> +       bool
> +       prompt "SunMD5 ($md5) hashing method"
> +       help
> +         A hash based on the MD5 algorithm, with additional cleverness
> +         to make precomputation difficult.
> +
> +         Enable this for full compatibility with passphrases that have
> +         been hashed on Solaris.
> +
> +config LIBXCRYPT_NTHASH
> +       bool
> +       prompt "NTHASH ($3$) hashing method"
> +       help
> +         The hashing method used for network authentication in some
> +         versions of the SMB/CIFS protocol.
> +
> +         Available, for cross-compatibility's sake, on FreeBSD.
> +
> +config LIBXCRYPT_BSDICRYPT
> +       bool
> +       prompt "bsdicrypt ($2x$) hashing method"
> +       help
> +         A weak extension of traditional DES, which eliminates the
> +         length limit, increases the salt size, and makes the time
> +         cost tunable.
> +
> +         It originates with BSDI and is also available on at least
> +         NetBSD, OpenBSD, FreeBSD, and MacOSX.
> +
> +config LIBXCRYPT_BIGCRYPT
> +       bool
> +       prompt "bigcrypt hashing method"
> +       help
> +         A weak extension of traditional DES, available on some
> +         System V-derived Unixes.  All it does is raise the length
> +         limit from 8 to 128 characters, and it does this in a crude
> +         way that allows attackers to guess chunks of a long passphrase
> +         in parallel.

I don't think we need these compat options. From the help texts, none of
those are needed for compatibility with libcrypt from glibc. So I think we
should just disable this stuff. We can add an option when it's actually
needed.

> +
> +endif
> diff --git a/rules/libxcrypt.make b/rules/libxcrypt.make
> new file mode 100644
> index 000000000..266e42640
> --- /dev/null
> +++ b/rules/libxcrypt.make
> @@ -0,0 +1,95 @@
> +# -*-makefile-*-
> +#
> +# Copyright (C) 2019 by Bjoern Esser <bes@pengutronix.de>
> +#
> +# For further information about the PTXdist project and license conditions
> +# see the README file.
> +#
> +
> +#
> +# We provide this package
> +#
> +PACKAGES-$(PTXCONF_LIBXCRYPT) += libxcrypt
> +
> +#
> +# Paths and names
> +#
> +LIBXCRYPT_VERSION      := 4.4.28
> +LIBXCRYPT_MD5          := 0b873e641ae201e5e7470cf791c0fe16
> +LIBXCRYPT              := libxcrypt-$(LIBXCRYPT_VERSION)
> +LIBXCRYPT_SUFFIX       := tar.xz
> +LIBXCRYPT_URL          := https://github.com/besser82/libxcrypt/releases/download/v$(LIBXCRYPT_VERSION)/$(LIBXCRYPT).$(LIBXCRYPT_SUFFIX)
> +LIBXCRYPT_SOURCE       := $(SRCDIR)/$(LIBXCRYPT).$(LIBXCRYPT_SUFFIX)
> +LIBXCRYPT_DIR          := $(BUILDDIR)/$(LIBXCRYPT)
> +LIBXCRYPT_LICENSE      := LGPL-2.1-or-later AND BSD-3-Clause AND
> BSD-2-Clause AND 0BSD AND public_domain
> +LIBXCRYPT_LICENSE_MD5  :=
> file://LICENSING;md5=3bb6614cf5880cbf1b9dbd9e3d145e2c
> +
> +#
> ----------------------------------------------------------------------------
> +# Prepare
> +#
> ----------------------------------------------------------------------------
> +
> +#
> +# options
> +#
> +
> +# Hash methods enabled by default.
> +HASH_METHODS := glibc,strong
> +
> +ifdef PTXCONF_LIBXCRYPT_BCRYPT_X
> +HASH_METHODS := $(HASH_METHODS),bcrypt_x
> +endif
> +
> +ifdef PTXCONF_LIBXCRYPT_SHA1CRYPT
> +HASH_METHODS := $(HASH_METHODS),sha1crypt
> +endif
> +
> +ifdef PTXCONF_LIBXCRYPT_SUNMD5
> +HASH_METHODS := $(HASH_METHODS),sunmd5
> +endif
> +
> +ifdef PTXCONF_LIBXCRYPT_NTHASH
> +HASH_METHODS := $(HASH_METHODS),nt
> +endif
> +
> +ifdef PTXCONF_LIBXCRYPT_BSDICRYPT
> +HASH_METHODS := $(HASH_METHODS),bsdicrypt
> +endif
> +
> +ifdef PTXCONF_LIBXCRYPT_BIGCRYPT
> +HASH_METHODS := $(HASH_METHODS),bigcrypt
> +endif
> +
> +#
> +# autoconf
> +#
> +LIBXCRYPT_CONF_TOOL    := autoconf
> +LIBXCRYPT_CONF_OPT     := \
> +       $(CROSS_AUTOCONF_USR) \
> +       --disable-failure-tokens \
> +       --disable-static \
> +       --disable-valgrind \
> +       --enable-obsolete-api=$(call
> ptx/ifdef,PTXCONF_LIBXCRYPT_GLIBC_BINARY_COMPAT,glibc,no) \

Hmm, looks like an extra line break introduced by your MUA/MTA.

Michael

> +       --enable-obsolete-api-enosys=$(call
> ptx/ifdef,PTXCONF_LIBXCRYPT_OBSOLETE_STUBS,yes,no) \
> +       --enable-hashes=$(HASH_METHODS) \
> +       --enable-xcrypt-compat-files
> +
> +#
> ----------------------------------------------------------------------------
> +# Target-Install
> +#
> ----------------------------------------------------------------------------
> +
> +$(STATEDIR)/libxcrypt.targetinstall:
> +       @$(call targetinfo)
> +
> +       @$(call install_init, libxcrypt)
> +       @$(call install_fixup, libxcrypt,PRIORITY,optional)
> +       @$(call install_fixup, libxcrypt,SECTION,base)
> +       @$(call install_fixup, libxcrypt,AUTHOR,"Bjoern Esser
> <bes@pengutronix.de>")
> +       @$(call install_fixup, libxcrypt,DESCRIPTION,Extended crypt library)
> +
> +       @$(call install_lib, libxcrypt, 0, 0, 0644, libcrypt)
> +
> +       @$(call install_finish, libxcrypt)
> +
> +       @$(call touch)
> +
> +# vim: syntax=make
> diff --git a/rules/uclibc.in b/rules/uclibc.in
> index 1fa99eba5..ee9cb0f34 100644
> --- a/rules/uclibc.in
> +++ b/rules/uclibc.in
> @@ -24,12 +24,16 @@ config UCLIBC_C
> 
>           Better not turn this option off..
> 
> +if LIBC_CRYPT_NATIVE_CRYPT
> +
>  config UCLIBC_CRYPT
>         bool
>         prompt "Install libcrypt"
>         help
>           The encryption/decryption library
> 
> +endif
> +
>  config UCLIBC_DL
>         bool
>         prompt "Install libdl"
> -- 
> 2.34.1
> 
> 
> 

-- 
Pengutronix e.K.                           |                             |
Steuerwalder Str. 21                       | http://www.pengutronix.de/  |
31137 Hildesheim, Germany                  | Phone: +49-5121-206917-0    |
Amtsgericht Hildesheim, HRA 2686           | Fax:   +49-5121-206917-5555 |

[ptxdist] [PATCH v7] libxcrypt: new package

[Andreas Helmcke]

Also implement the needed logic to (optionally) replace
the libcrypt from the selected libc with libxcrypt.

libxcrypt is a modern library for one-way hashing of passwords.
It supports a wide variety of both modern and historical hashing
methods: yescrypt, gost-yescrypt, scrypt, bcrypt, sha512crypt,
sha256crypt, md5crypt, SunMD5, sha1crypt, NT, bsdicrypt, bigcrypt,
and descrypt. It provides the traditional Unix crypt and crypt_r
interfaces, as well as a set of extended interfaces pioneered by
Openwall Linux, crypt_rn, crypt_ra, crypt_gensalt, crypt_gensalt_rn,
and crypt_gensalt_ra.

libxcrypt is intended to be used by login(1), passwd(1), and other
similar programs; that is, to hash a small number of passwords
during an interactive authentication dialogue with a human.  It is
not suitable for use in bulk password-cracking applications, or in
any other situation where speed is more important than careful
handling of sensitive data.  However, it is intended to be fast and
lightweight enough for use in servers that must field thousands of
login attempts per minute.

Co-authored-by: Andreas Helmcke <ahe@helmcke.name>
Signed-off-by: Andreas Helmcke <ahe@helmcke.name>
Signed-off-by: Björn Esser <bes@pengutronix.de>
---
v6 -> v7:
   - Applied the changes recommend by Michael Olbrich

v5 -> v6: (by Andreas Helmcke)
   - Updated commit message to properly address authors

v4 -> v5: (by Andreas Helmcke)
   - Update libxcrypt 4.4.10 -> 4.4.24
   - Changed download url to official tar, which does not need autoconf
   - Changed the config variable names to reflect menu structure
   - Corrected two typos

original work by Björn Esser :
v3 -> v4:
   - Update libxcrypt 4.4.9 -> 4.4.10

v2 -> v3:
   - Added 3 files that also needed minor adaptions and I forgot to add
     to the initial patch.

v1 -> v2:
   - Adapt the two remarks pointed out by Dennis Osterland

  rules/glibc.in       |  3 +-
  rules/libc.in        |  8 +++--
  rules/libxcrypt.in   | 42 ++++++++++++++++++++++++++
  rules/libxcrypt.make | 71 ++++++++++++++++++++++++++++++++++++++++++++
  rules/uclibc.in      |  3 +-
  5 files changed, 123 insertions(+), 4 deletions(-)
  create mode 100644 rules/libxcrypt.in
  create mode 100644 rules/libxcrypt.make

diff --git a/rules/glibc.in b/rules/glibc.in
index 16e5e84d1..e574bc8f0 100644
--- a/rules/glibc.in
+++ b/rules/glibc.in
@@ -81,7 +81,8 @@ config GLIBC_DL

  config GLIBC_CRYPT
         bool
-       prompt "Install libcrypt"
+       prompt "Install libcrypt" if LIBC_CRYPT_NATIVE_CRYPT
+       default no if !LIBC_CRYPT_NATIVE_CRYPT
         help
           The encryption/decryption library

diff --git a/rules/libc.in b/rules/libc.in
index 1614affd9..f2e56fa62 100644
--- a/rules/libc.in
+++ b/rules/libc.in
@@ -27,6 +27,10 @@ choice
                 prompt "uClibc "
  endchoice

+config LIBC_CRYPT_NATIVE_CRYPT
+       bool
+       default !LIBXCRYPT
+
  source "generated/libc.in"

  endif
@@ -59,8 +63,8 @@ config LIBC_DL

  config LIBC_CRYPT
         bool
-       select GLIBC_CRYPT              if LIBC_GLIBC
-       select UCLIBC_CRYPT             if LIBC_UCLIBC
+       select GLIBC_CRYPT              if LIBC_GLIBC && 
LIBC_CRYPT_NATIVE_CRYPT
+       select UCLIBC_CRYPT             if LIBC_UCLIBC && 
LIBC_CRYPT_NATIVE_CRYPT

  config LIBC_UTIL
         bool
diff --git a/rules/libxcrypt.in b/rules/libxcrypt.in
new file mode 100644
index 000000000..01f9dd4b1
--- /dev/null
+++ b/rules/libxcrypt.in
@@ -0,0 +1,42 @@
+## SECTION=system_libraries
+
+menuconfig LIBXCRYPT
+       bool
+       prompt "libxcrypt                     "
+       help
+         Extended crypt library for descrypt, md5crypt, bcrypt, and others.
+
+         libxcrypt is a modern library for one-way hashing of passwords.
+         It supports a wide variety of both modern and historical hashing
+         methods: yescrypt, gost-yescrypt, scrypt, bcrypt, sha512crypt,
+         sha256crypt, md5crypt, SunMD5, sha1crypt, NT, bsdicrypt, bigcrypt,
+         and descrypt.  It provides the traditional Unix crypt and crypt_r
+         interfaces, as well as a set of extended interfaces pioneered by
+         Openwall Linux, crypt_rn, crypt_ra, crypt_gensalt,
+         crypt_gensalt_rn, and crypt_gensalt_ra.
+
+         libxcrypt is intended to be used by login(1), passwd(1), and other
+         similar programs; that is, to hash a small number of passwords
+         during an interactive authentication dialogue with a human.  It is
+         not suitable for use in bulk password-cracking applications, or in
+         any other situation where speed is more important than careful
+         handling of sensitive data.  However, it is intended to be 
fast and
+         lightweight enough for use in servers that must field thousands of
+         login attempts per minute.
+
+if LIBXCRYPT
+
+config LIBXCRYPT_OBSOLETE_STUBS
+       bool
+       prompt "Replace obsolete functions with non-functional stubs"
+       help
+         If enabled, this option replaces the obsolete APIs (fcrypt,
+         encrypt{,_r}, and setkey{,_r}) with stubs that set errno to
+         ENOSYS and return without performing any real operations.
+
+         For security reasons, the encrypt{,r} functions will also
+         overwrite their data-block argument with random bits.
+
+         The fcrypt function will also always return NULL-pointer.
+
+endif
diff --git a/rules/libxcrypt.make b/rules/libxcrypt.make
new file mode 100644
index 000000000..930d91e8b
--- /dev/null
+++ b/rules/libxcrypt.make
@@ -0,0 +1,71 @@
+# -*-makefile-*-
+#
+# Copyright (C) 2019 by Bjoern Esser <bes@pengutronix.de>
+#
+# For further information about the PTXdist project and license conditions
+# see the README file.
+#
+
+#
+# We provide this package
+#
+PACKAGES-$(PTXCONF_LIBXCRYPT) += libxcrypt
+
+#
+# Paths and names
+#
+LIBXCRYPT_VERSION      := 4.4.28
+LIBXCRYPT_MD5          := 0b873e641ae201e5e7470cf791c0fe16
+LIBXCRYPT              := libxcrypt-$(LIBXCRYPT_VERSION)
+LIBXCRYPT_SUFFIX       := tar.xz
+LIBXCRYPT_URL          := 
https://github.com/besser82/libxcrypt/releases/download/v$(LIBXCRYPT_VERSION)/$(LIBXCRYPT).$(LIBXCRYPT_SUFFIX)
+LIBXCRYPT_SOURCE       := $(SRCDIR)/$(LIBXCRYPT).$(LIBXCRYPT_SUFFIX)
+LIBXCRYPT_DIR          := $(BUILDDIR)/$(LIBXCRYPT)
+LIBXCRYPT_LICENSE      := LGPL-2.1-or-later AND BSD-3-Clause AND 
BSD-2-Clause AND 0BSD AND public_domain
+LIBXCRYPT_LICENSE_MD5  := 
file://LICENSING;md5=3bb6614cf5880cbf1b9dbd9e3d145e2c
+
+# 
----------------------------------------------------------------------------
+# Prepare
+# 
----------------------------------------------------------------------------
+
+#
+# options
+#
+
+# Hash methods enabled by default.
+HASH_METHODS := glibc,strong
+
+#
+# autoconf
+#
+LIBXCRYPT_CONF_TOOL    := autoconf
+LIBXCRYPT_CONF_OPT     := \
+       $(CROSS_AUTOCONF_USR) \
+       --disable-failure-tokens \
+       --disable-static \
+       --disable-valgrind \
+       --enable-obsolete-api \
+       --enable-obsolete-api-enosys=$(call 
ptx/ifdef,PTXCONF_LIBXCRYPT_OBSOLETE_STUBS,yes,no) \
+       --enable-hashes=$(HASH_METHODS) \
+       --enable-xcrypt-compat-files
+
+# 
----------------------------------------------------------------------------
+# Target-Install
+# 
----------------------------------------------------------------------------
+
+$(STATEDIR)/libxcrypt.targetinstall:
+       @$(call targetinfo)
+
+       @$(call install_init, libxcrypt)
+       @$(call install_fixup, libxcrypt,PRIORITY,optional)
+       @$(call install_fixup, libxcrypt,SECTION,base)
+       @$(call install_fixup, libxcrypt,AUTHOR,"Bjoern Esser 
<bes@pengutronix.de>")
+       @$(call install_fixup, libxcrypt,DESCRIPTION,Extended crypt library)
+
+       @$(call install_lib, libxcrypt, 0, 0, 0644, libcrypt)
+
+       @$(call install_finish, libxcrypt)
+
+       @$(call touch)
+
+# vim: syntax=make
diff --git a/rules/uclibc.in b/rules/uclibc.in
index 1fa99eba5..39d8ca3d7 100644
--- a/rules/uclibc.in
+++ b/rules/uclibc.in
@@ -26,7 +26,8 @@ config UCLIBC_C

  config UCLIBC_CRYPT
         bool
-       prompt "Install libcrypt"
+       prompt "Install libcrypt" if LIBC_CRYPT_NATIVE_CRYPT
+       default no if !LIBC_CRYPT_NATIVE_CRYPT
         help
           The encryption/decryption library

-- 
2.34.1

Re: [ptxdist] [PATCH v7] libxcrypt: new package

[Michael Olbrich]

On Fri, May 06, 2022 at 01:27:35PM +0200, Andreas Helmcke wrote:
> Also implement the needed logic to (optionally) replace
> the libcrypt from the selected libc with libxcrypt.
> 
> libxcrypt is a modern library for one-way hashing of passwords.
> It supports a wide variety of both modern and historical hashing
> methods: yescrypt, gost-yescrypt, scrypt, bcrypt, sha512crypt,
> sha256crypt, md5crypt, SunMD5, sha1crypt, NT, bsdicrypt, bigcrypt,
> and descrypt. It provides the traditional Unix crypt and crypt_r
> interfaces, as well as a set of extended interfaces pioneered by
> Openwall Linux, crypt_rn, crypt_ra, crypt_gensalt, crypt_gensalt_rn,
> and crypt_gensalt_ra.
> 
> libxcrypt is intended to be used by login(1), passwd(1), and other
> similar programs; that is, to hash a small number of passwords
> during an interactive authentication dialogue with a human.  It is
> not suitable for use in bulk password-cracking applications, or in
> any other situation where speed is more important than careful
> handling of sensitive data.  However, it is intended to be fast and
> lightweight enough for use in servers that must field thousands of
> login attempts per minute.
> 
> Co-authored-by: Andreas Helmcke <ahe@helmcke.name>
> Signed-off-by: Andreas Helmcke <ahe@helmcke.name>
> Signed-off-by: Björn Esser <bes@pengutronix.de>

Your Signed-off-by should be the last one.

> ---
> v6 -> v7:
>   - Applied the changes recommend by Michael Olbrich
> 
> v5 -> v6: (by Andreas Helmcke)
>   - Updated commit message to properly address authors
> 
> v4 -> v5: (by Andreas Helmcke)
>   - Update libxcrypt 4.4.10 -> 4.4.24
>   - Changed download url to official tar, which does not need autoconf
>   - Changed the config variable names to reflect menu structure
>   - Corrected two typos
> 
> original work by Björn Esser :
> v3 -> v4:
>   - Update libxcrypt 4.4.9 -> 4.4.10
> 
> v2 -> v3:
>   - Added 3 files that also needed minor adaptions and I forgot to add
>     to the initial patch.
> 
> v1 -> v2:
>   - Adapt the two remarks pointed out by Dennis Osterland
> 
>  rules/glibc.in       |  3 +-
>  rules/libc.in        |  8 +++--
>  rules/libxcrypt.in   | 42 ++++++++++++++++++++++++++
>  rules/libxcrypt.make | 71 ++++++++++++++++++++++++++++++++++++++++++++
>  rules/uclibc.in      |  3 +-
>  5 files changed, 123 insertions(+), 4 deletions(-)
>  create mode 100644 rules/libxcrypt.in
>  create mode 100644 rules/libxcrypt.make
> 
> diff --git a/rules/glibc.in b/rules/glibc.in
> index 16e5e84d1..e574bc8f0 100644
> --- a/rules/glibc.in
> +++ b/rules/glibc.in
> @@ -81,7 +81,8 @@ config GLIBC_DL
> 
>  config GLIBC_CRYPT
>         bool
> -       prompt "Install libcrypt"
> +       prompt "Install libcrypt" if LIBC_CRYPT_NATIVE_CRYPT
> +       default no if !LIBC_CRYPT_NATIVE_CRYPT
>         help
>           The encryption/decryption library
> 
> diff --git a/rules/libc.in b/rules/libc.in
> index 1614affd9..f2e56fa62 100644
> --- a/rules/libc.in
> +++ b/rules/libc.in
> @@ -27,6 +27,10 @@ choice
>                 prompt "uClibc "
>  endchoice
> 
> +config LIBC_CRYPT_NATIVE_CRYPT
> +       bool
> +       default !LIBXCRYPT
> +
>  source "generated/libc.in"
> 
>  endif
> @@ -59,8 +63,8 @@ config LIBC_DL
> 
>  config LIBC_CRYPT
>         bool
> -       select GLIBC_CRYPT              if LIBC_GLIBC
> -       select UCLIBC_CRYPT             if LIBC_UCLIBC
> +       select GLIBC_CRYPT              if LIBC_GLIBC &&
> LIBC_CRYPT_NATIVE_CRYPT
> +       select UCLIBC_CRYPT             if LIBC_UCLIBC &&
> LIBC_CRYPT_NATIVE_CRYPT
> 
>  config LIBC_UTIL
>         bool
> diff --git a/rules/libxcrypt.in b/rules/libxcrypt.in
> new file mode 100644
> index 000000000..01f9dd4b1
> --- /dev/null
> +++ b/rules/libxcrypt.in
> @@ -0,0 +1,42 @@
> +## SECTION=system_libraries
> +
> +menuconfig LIBXCRYPT
> +       bool
> +       prompt "libxcrypt                     "
> +       help
> +         Extended crypt library for descrypt, md5crypt, bcrypt, and others.
> +
> +         libxcrypt is a modern library for one-way hashing of passwords.
> +         It supports a wide variety of both modern and historical hashing
> +         methods: yescrypt, gost-yescrypt, scrypt, bcrypt, sha512crypt,
> +         sha256crypt, md5crypt, SunMD5, sha1crypt, NT, bsdicrypt, bigcrypt,
> +         and descrypt.  It provides the traditional Unix crypt and crypt_r
> +         interfaces, as well as a set of extended interfaces pioneered by
> +         Openwall Linux, crypt_rn, crypt_ra, crypt_gensalt,
> +         crypt_gensalt_rn, and crypt_gensalt_ra.
> +
> +         libxcrypt is intended to be used by login(1), passwd(1), and other
> +         similar programs; that is, to hash a small number of passwords
> +         during an interactive authentication dialogue with a human.  It is
> +         not suitable for use in bulk password-cracking applications, or in
> +         any other situation where speed is more important than careful
> +         handling of sensitive data.  However, it is intended to be fast
> and
> +         lightweight enough for use in servers that must field thousands of
> +         login attempts per minute.
> +
> +if LIBXCRYPT
> +
> +config LIBXCRYPT_OBSOLETE_STUBS
> +       bool
> +       prompt "Replace obsolete functions with non-functional stubs"
> +       help
> +         If enabled, this option replaces the obsolete APIs (fcrypt,
> +         encrypt{,_r}, and setkey{,_r}) with stubs that set errno to
> +         ENOSYS and return without performing any real operations.
> +
> +         For security reasons, the encrypt{,r} functions will also
> +         overwrite their data-block argument with random bits.
> +
> +         The fcrypt function will also always return NULL-pointer.
> +
> +endif
> diff --git a/rules/libxcrypt.make b/rules/libxcrypt.make
> new file mode 100644
> index 000000000..930d91e8b
> --- /dev/null
> +++ b/rules/libxcrypt.make
> @@ -0,0 +1,71 @@
> +# -*-makefile-*-
> +#
> +# Copyright (C) 2019 by Bjoern Esser <bes@pengutronix.de>
> +#
> +# For further information about the PTXdist project and license conditions
> +# see the README file.
> +#
> +
> +#
> +# We provide this package
> +#
> +PACKAGES-$(PTXCONF_LIBXCRYPT) += libxcrypt
> +
> +#
> +# Paths and names
> +#
> +LIBXCRYPT_VERSION      := 4.4.28
> +LIBXCRYPT_MD5          := 0b873e641ae201e5e7470cf791c0fe16
> +LIBXCRYPT              := libxcrypt-$(LIBXCRYPT_VERSION)
> +LIBXCRYPT_SUFFIX       := tar.xz
> +LIBXCRYPT_URL          := https://github.com/besser82/libxcrypt/releases/download/v$(LIBXCRYPT_VERSION)/$(LIBXCRYPT).$(LIBXCRYPT_SUFFIX)
> +LIBXCRYPT_SOURCE       := $(SRCDIR)/$(LIBXCRYPT).$(LIBXCRYPT_SUFFIX)
> +LIBXCRYPT_DIR          := $(BUILDDIR)/$(LIBXCRYPT)
> +LIBXCRYPT_LICENSE      := LGPL-2.1-or-later AND BSD-3-Clause AND
> BSD-2-Clause AND 0BSD AND public_domain
> +LIBXCRYPT_LICENSE_MD5  :=
> file://LICENSING;md5=3bb6614cf5880cbf1b9dbd9e3d145e2c

There are still extra line breaks here. Maybe send it as an attachment?

Michael

> +
> +#
> ----------------------------------------------------------------------------
> +# Prepare
> +#
> ----------------------------------------------------------------------------
> +
> +#
> +# options
> +#
> +
> +# Hash methods enabled by default.
> +HASH_METHODS := glibc,strong
> +
> +#
> +# autoconf
> +#
> +LIBXCRYPT_CONF_TOOL    := autoconf
> +LIBXCRYPT_CONF_OPT     := \
> +       $(CROSS_AUTOCONF_USR) \
> +       --disable-failure-tokens \
> +       --disable-static \
> +       --disable-valgrind \
> +       --enable-obsolete-api \
> +       --enable-obsolete-api-enosys=$(call
> ptx/ifdef,PTXCONF_LIBXCRYPT_OBSOLETE_STUBS,yes,no) \
> +       --enable-hashes=$(HASH_METHODS) \
> +       --enable-xcrypt-compat-files
> +
> +#
> ----------------------------------------------------------------------------
> +# Target-Install
> +#
> ----------------------------------------------------------------------------
> +
> +$(STATEDIR)/libxcrypt.targetinstall:
> +       @$(call targetinfo)
> +
> +       @$(call install_init, libxcrypt)
> +       @$(call install_fixup, libxcrypt,PRIORITY,optional)
> +       @$(call install_fixup, libxcrypt,SECTION,base)
> +       @$(call install_fixup, libxcrypt,AUTHOR,"Bjoern Esser
> <bes@pengutronix.de>")
> +       @$(call install_fixup, libxcrypt,DESCRIPTION,Extended crypt library)
> +
> +       @$(call install_lib, libxcrypt, 0, 0, 0644, libcrypt)
> +
> +       @$(call install_finish, libxcrypt)
> +
> +       @$(call touch)
> +
> +# vim: syntax=make
> diff --git a/rules/uclibc.in b/rules/uclibc.in
> index 1fa99eba5..39d8ca3d7 100644
> --- a/rules/uclibc.in
> +++ b/rules/uclibc.in
> @@ -26,7 +26,8 @@ config UCLIBC_C
> 
>  config UCLIBC_CRYPT
>         bool
> -       prompt "Install libcrypt"
> +       prompt "Install libcrypt" if LIBC_CRYPT_NATIVE_CRYPT
> +       default no if !LIBC_CRYPT_NATIVE_CRYPT
>         help
>           The encryption/decryption library
> 
> -- 
> 2.34.1
> 
> 

-- 
Pengutronix e.K.                           |                             |
Steuerwalder Str. 21                       | http://www.pengutronix.de/  |
31137 Hildesheim, Germany                  | Phone: +49-5121-206917-0    |
Amtsgericht Hildesheim, HRA 2686           | Fax:   +49-5121-206917-5555 |

Re: [ptxdist] [PATCH v7] libxcrypt: new package

[Alexander Dahl]

Hello Andreas,

from my side only some more nitpicks on the process, not the content …
see below. ;-)

Am Fri, May 06, 2022 at 01:27:35PM +0200 schrieb Andreas Helmcke:
> Also implement the needed logic to (optionally) replace
> the libcrypt from the selected libc with libxcrypt.
> 
> libxcrypt is a modern library for one-way hashing of passwords.
> It supports a wide variety of both modern and historical hashing
> methods: yescrypt, gost-yescrypt, scrypt, bcrypt, sha512crypt,
> sha256crypt, md5crypt, SunMD5, sha1crypt, NT, bsdicrypt, bigcrypt,
> and descrypt. It provides the traditional Unix crypt and crypt_r
> interfaces, as well as a set of extended interfaces pioneered by
> Openwall Linux, crypt_rn, crypt_ra, crypt_gensalt, crypt_gensalt_rn,
> and crypt_gensalt_ra.
> 
> libxcrypt is intended to be used by login(1), passwd(1), and other
> similar programs; that is, to hash a small number of passwords
> during an interactive authentication dialogue with a human.  It is
> not suitable for use in bulk password-cracking applications, or in
> any other situation where speed is more important than careful
> handling of sensitive data.  However, it is intended to be fast and
> lightweight enough for use in servers that must field thousands of
> login attempts per minute.
> 
> Co-authored-by: Andreas Helmcke <ahe@helmcke.name>
> Signed-off-by: Andreas Helmcke <ahe@helmcke.name>
> Signed-off-by: Björn Esser <bes@pengutronix.de>

This looks now like you authored the patch (From:), co-authored it
(makes no sense), and Björn signed it, which is probably questionable
for v7.  Did you mean Co-authored-by: Björn …?

> ---
> v6 -> v7:
>   - Applied the changes recommend by Michael Olbrich
> 
> v5 -> v6: (by Andreas Helmcke)
>   - Updated commit message to properly address authors
> 
> v4 -> v5: (by Andreas Helmcke)
>   - Update libxcrypt 4.4.10 -> 4.4.24
>   - Changed download url to official tar, which does not need autoconf
>   - Changed the config variable names to reflect menu structure
>   - Corrected two typos
> 
> original work by Björn Esser :
> v3 -> v4:
>   - Update libxcrypt 4.4.9 -> 4.4.10
> 
> v2 -> v3:
>   - Added 3 files that also needed minor adaptions and I forgot to add
>     to the initial patch.
> 
> v1 -> v2:
>   - Adapt the two remarks pointed out by Dennis Osterland
> 
>  rules/glibc.in       |  3 +-
>  rules/libc.in        |  8 +++--
>  rules/libxcrypt.in   | 42 ++++++++++++++++++++++++++
>  rules/libxcrypt.make | 71 ++++++++++++++++++++++++++++++++++++++++++++
>  rules/uclibc.in      |  3 +-
>  5 files changed, 123 insertions(+), 4 deletions(-)
>  create mode 100644 rules/libxcrypt.in
>  create mode 100644 rules/libxcrypt.make

All the changes for the three non new files do not apply cleanly on
recent ptxdist master.  I would rebase or pass '--base xyz' to git
format-patch.

Greets
Alex

> 
> diff --git a/rules/glibc.in b/rules/glibc.in
> index 16e5e84d1..e574bc8f0 100644
> --- a/rules/glibc.in
> +++ b/rules/glibc.in
> @@ -81,7 +81,8 @@ config GLIBC_DL
> 
>  config GLIBC_CRYPT
>         bool
> -       prompt "Install libcrypt"
> +       prompt "Install libcrypt" if LIBC_CRYPT_NATIVE_CRYPT
> +       default no if !LIBC_CRYPT_NATIVE_CRYPT
>         help
>           The encryption/decryption library
> 
> diff --git a/rules/libc.in b/rules/libc.in
> index 1614affd9..f2e56fa62 100644
> --- a/rules/libc.in
> +++ b/rules/libc.in
> @@ -27,6 +27,10 @@ choice
>                 prompt "uClibc "
>  endchoice
> 
> +config LIBC_CRYPT_NATIVE_CRYPT
> +       bool
> +       default !LIBXCRYPT
> +
>  source "generated/libc.in"
> 
>  endif
> @@ -59,8 +63,8 @@ config LIBC_DL
> 
>  config LIBC_CRYPT
>         bool
> -       select GLIBC_CRYPT              if LIBC_GLIBC
> -       select UCLIBC_CRYPT             if LIBC_UCLIBC
> +       select GLIBC_CRYPT              if LIBC_GLIBC &&
> LIBC_CRYPT_NATIVE_CRYPT
> +       select UCLIBC_CRYPT             if LIBC_UCLIBC &&
> LIBC_CRYPT_NATIVE_CRYPT
> 
>  config LIBC_UTIL
>         bool
> diff --git a/rules/libxcrypt.in b/rules/libxcrypt.in
> new file mode 100644
> index 000000000..01f9dd4b1
> --- /dev/null
> +++ b/rules/libxcrypt.in
> @@ -0,0 +1,42 @@
> +## SECTION=system_libraries
> +
> +menuconfig LIBXCRYPT
> +       bool
> +       prompt "libxcrypt                     "
> +       help
> +         Extended crypt library for descrypt, md5crypt, bcrypt, and others.
> +
> +         libxcrypt is a modern library for one-way hashing of passwords.
> +         It supports a wide variety of both modern and historical hashing
> +         methods: yescrypt, gost-yescrypt, scrypt, bcrypt, sha512crypt,
> +         sha256crypt, md5crypt, SunMD5, sha1crypt, NT, bsdicrypt, bigcrypt,
> +         and descrypt.  It provides the traditional Unix crypt and crypt_r
> +         interfaces, as well as a set of extended interfaces pioneered by
> +         Openwall Linux, crypt_rn, crypt_ra, crypt_gensalt,
> +         crypt_gensalt_rn, and crypt_gensalt_ra.
> +
> +         libxcrypt is intended to be used by login(1), passwd(1), and other
> +         similar programs; that is, to hash a small number of passwords
> +         during an interactive authentication dialogue with a human.  It is
> +         not suitable for use in bulk password-cracking applications, or in
> +         any other situation where speed is more important than careful
> +         handling of sensitive data.  However, it is intended to be fast
> and
> +         lightweight enough for use in servers that must field thousands of
> +         login attempts per minute.
> +
> +if LIBXCRYPT
> +
> +config LIBXCRYPT_OBSOLETE_STUBS
> +       bool
> +       prompt "Replace obsolete functions with non-functional stubs"
> +       help
> +         If enabled, this option replaces the obsolete APIs (fcrypt,
> +         encrypt{,_r}, and setkey{,_r}) with stubs that set errno to
> +         ENOSYS and return without performing any real operations.
> +
> +         For security reasons, the encrypt{,r} functions will also
> +         overwrite their data-block argument with random bits.
> +
> +         The fcrypt function will also always return NULL-pointer.
> +
> +endif
> diff --git a/rules/libxcrypt.make b/rules/libxcrypt.make
> new file mode 100644
> index 000000000..930d91e8b
> --- /dev/null
> +++ b/rules/libxcrypt.make
> @@ -0,0 +1,71 @@
> +# -*-makefile-*-
> +#
> +# Copyright (C) 2019 by Bjoern Esser <bes@pengutronix.de>
> +#
> +# For further information about the PTXdist project and license conditions
> +# see the README file.
> +#
> +
> +#
> +# We provide this package
> +#
> +PACKAGES-$(PTXCONF_LIBXCRYPT) += libxcrypt
> +
> +#
> +# Paths and names
> +#
> +LIBXCRYPT_VERSION      := 4.4.28
> +LIBXCRYPT_MD5          := 0b873e641ae201e5e7470cf791c0fe16
> +LIBXCRYPT              := libxcrypt-$(LIBXCRYPT_VERSION)
> +LIBXCRYPT_SUFFIX       := tar.xz
> +LIBXCRYPT_URL          := https://github.com/besser82/libxcrypt/releases/download/v$(LIBXCRYPT_VERSION)/$(LIBXCRYPT).$(LIBXCRYPT_SUFFIX)
> +LIBXCRYPT_SOURCE       := $(SRCDIR)/$(LIBXCRYPT).$(LIBXCRYPT_SUFFIX)
> +LIBXCRYPT_DIR          := $(BUILDDIR)/$(LIBXCRYPT)
> +LIBXCRYPT_LICENSE      := LGPL-2.1-or-later AND BSD-3-Clause AND
> BSD-2-Clause AND 0BSD AND public_domain
> +LIBXCRYPT_LICENSE_MD5  :=
> file://LICENSING;md5=3bb6614cf5880cbf1b9dbd9e3d145e2c
> +
> +#
> ----------------------------------------------------------------------------
> +# Prepare
> +#
> ----------------------------------------------------------------------------
> +
> +#
> +# options
> +#
> +
> +# Hash methods enabled by default.
> +HASH_METHODS := glibc,strong
> +
> +#
> +# autoconf
> +#
> +LIBXCRYPT_CONF_TOOL    := autoconf
> +LIBXCRYPT_CONF_OPT     := \
> +       $(CROSS_AUTOCONF_USR) \
> +       --disable-failure-tokens \
> +       --disable-static \
> +       --disable-valgrind \
> +       --enable-obsolete-api \
> +       --enable-obsolete-api-enosys=$(call
> ptx/ifdef,PTXCONF_LIBXCRYPT_OBSOLETE_STUBS,yes,no) \
> +       --enable-hashes=$(HASH_METHODS) \
> +       --enable-xcrypt-compat-files
> +
> +#
> ----------------------------------------------------------------------------
> +# Target-Install
> +#
> ----------------------------------------------------------------------------
> +
> +$(STATEDIR)/libxcrypt.targetinstall:
> +       @$(call targetinfo)
> +
> +       @$(call install_init, libxcrypt)
> +       @$(call install_fixup, libxcrypt,PRIORITY,optional)
> +       @$(call install_fixup, libxcrypt,SECTION,base)
> +       @$(call install_fixup, libxcrypt,AUTHOR,"Bjoern Esser
> <bes@pengutronix.de>")
> +       @$(call install_fixup, libxcrypt,DESCRIPTION,Extended crypt library)
> +
> +       @$(call install_lib, libxcrypt, 0, 0, 0644, libcrypt)
> +
> +       @$(call install_finish, libxcrypt)
> +
> +       @$(call touch)
> +
> +# vim: syntax=make
> diff --git a/rules/uclibc.in b/rules/uclibc.in
> index 1fa99eba5..39d8ca3d7 100644
> --- a/rules/uclibc.in
> +++ b/rules/uclibc.in
> @@ -26,7 +26,8 @@ config UCLIBC_C
> 
>  config UCLIBC_CRYPT
>         bool
> -       prompt "Install libcrypt"
> +       prompt "Install libcrypt" if LIBC_CRYPT_NATIVE_CRYPT
> +       default no if !LIBC_CRYPT_NATIVE_CRYPT
>         help
>           The encryption/decryption library
> 
> -- 
> 2.34.1
> 

[ptxdist] [PATCH v8] libxcrypt: new package

[Andreas Helmcke]

Also implement the needed logic to (optionally) replace
the libcrypt from the selected libc with libxcrypt.

libxcrypt is a modern library for one-way hashing of passwords.
It supports a wide variety of both modern and historical hashing
methods: yescrypt, gost-yescrypt, scrypt, bcrypt, sha512crypt,
sha256crypt, md5crypt, SunMD5, sha1crypt, NT, bsdicrypt, bigcrypt,
and descrypt. It provides the traditional Unix crypt and crypt_r
interfaces, as well as a set of extended interfaces pioneered by
Openwall Linux, crypt_rn, crypt_ra, crypt_gensalt, crypt_gensalt_rn,
and crypt_gensalt_ra.

libxcrypt is intended to be used by login(1), passwd(1), and other
similar programs; that is, to hash a small number of passwords
during an interactive authentication dialogue with a human.  It is
not suitable for use in bulk password-cracking applications, or in
any other situation where speed is more important than careful
handling of sensitive data.  However, it is intended to be fast and
lightweight enough for use in servers that must field thousands of
login attempts per minute.

Co-authored-by: Björn Esser <bes@pengutronix.de>
Signed-off-by: Björn Esser <bes@pengutronix.de>
Signed-off-by: Andreas Helmcke <ahe@helmcke.name>
---
v7 -> v8:
   - Rebased to current HEAD
   - Updated commit message Co-authored-by and Signed-off-by lines.

v6 -> v7:
   - Applied the changes recommended by Michael Olbrich

v5 -> v6: (by Andreas Helmcke)
   - Updated commit message to properly address authors

v4 -> v5: (by Andreas Helmcke)
   - Update libxcrypt 4.4.10 -> 4.4.24
   - Changed download url to official tar, which does not need autoconf
   - Changed the config variable names to reflect menu structure
   - Corrected two typos

original work by Björn Esser :
v3 -> v4:
   - Update libxcrypt 4.4.9 -> 4.4.10

v2 -> v3:
   - Added 3 files that also needed minor adaptions and I forgot to add
     to the initial patch.

v1 -> v2:
   - Adapt the two remarks pointed out by Dennis Osterland

  rules/glibc.in       |  3 +-
  rules/libc.in        |  8 +++--
  rules/libxcrypt.in   | 42 ++++++++++++++++++++++++++
  rules/libxcrypt.make | 71 ++++++++++++++++++++++++++++++++++++++++++++
  rules/uclibc.in      |  3 +-
  5 files changed, 123 insertions(+), 4 deletions(-)
  create mode 100644 rules/libxcrypt.in
  create mode 100644 rules/libxcrypt.make

diff --git a/rules/glibc.in b/rules/glibc.in
index 16e5e84d1..e574bc8f0 100644
--- a/rules/glibc.in
+++ b/rules/glibc.in
@@ -81,7 +81,8 @@ config GLIBC_DL
  
  config GLIBC_CRYPT
         bool
-       prompt "Install libcrypt"
+       prompt "Install libcrypt" if LIBC_CRYPT_NATIVE_CRYPT
+       default no if !LIBC_CRYPT_NATIVE_CRYPT
         help
           The encryption/decryption library
  
diff --git a/rules/libc.in b/rules/libc.in
index 1614affd9..f2e56fa62 100644
--- a/rules/libc.in
+++ b/rules/libc.in
@@ -27,6 +27,10 @@ choice
                 prompt "uClibc "
  endchoice
  
+config LIBC_CRYPT_NATIVE_CRYPT
+       bool
+       default !LIBXCRYPT
+
  source "generated/libc.in"
  
  endif
@@ -59,8 +63,8 @@ config LIBC_DL
  
  config LIBC_CRYPT
         bool
-       select GLIBC_CRYPT              if LIBC_GLIBC
-       select UCLIBC_CRYPT             if LIBC_UCLIBC
+       select GLIBC_CRYPT              if LIBC_GLIBC && LIBC_CRYPT_NATIVE_CRYPT
+       select UCLIBC_CRYPT             if LIBC_UCLIBC && LIBC_CRYPT_NATIVE_CRYPT
  
  config LIBC_UTIL
         bool
diff --git a/rules/libxcrypt.in b/rules/libxcrypt.in
new file mode 100644
index 000000000..01f9dd4b1
--- /dev/null
+++ b/rules/libxcrypt.in
@@ -0,0 +1,42 @@
+## SECTION=system_libraries
+
+menuconfig LIBXCRYPT
+       bool
+       prompt "libxcrypt                     "
+       help
+         Extended crypt library for descrypt, md5crypt, bcrypt, and others.
+
+         libxcrypt is a modern library for one-way hashing of passwords.
+         It supports a wide variety of both modern and historical hashing
+         methods: yescrypt, gost-yescrypt, scrypt, bcrypt, sha512crypt,
+         sha256crypt, md5crypt, SunMD5, sha1crypt, NT, bsdicrypt, bigcrypt,
+         and descrypt.  It provides the traditional Unix crypt and crypt_r
+         interfaces, as well as a set of extended interfaces pioneered by
+         Openwall Linux, crypt_rn, crypt_ra, crypt_gensalt,
+         crypt_gensalt_rn, and crypt_gensalt_ra.
+
+         libxcrypt is intended to be used by login(1), passwd(1), and other
+         similar programs; that is, to hash a small number of passwords
+         during an interactive authentication dialogue with a human.  It is
+         not suitable for use in bulk password-cracking applications, or in
+         any other situation where speed is more important than careful
+         handling of sensitive data.  However, it is intended to be fast and
+         lightweight enough for use in servers that must field thousands of
+         login attempts per minute.
+
+if LIBXCRYPT
+
+config LIBXCRYPT_OBSOLETE_STUBS
+       bool
+       prompt "Replace obsolete functions with non-functional stubs"
+       help
+         If enabled, this option replaces the obsolete APIs (fcrypt,
+         encrypt{,_r}, and setkey{,_r}) with stubs that set errno to
+         ENOSYS and return without performing any real operations.
+
+         For security reasons, the encrypt{,r} functions will also
+         overwrite their data-block argument with random bits.
+
+         The fcrypt function will also always return NULL-pointer.
+
+endif
diff --git a/rules/libxcrypt.make b/rules/libxcrypt.make
new file mode 100644
index 000000000..930d91e8b
--- /dev/null
+++ b/rules/libxcrypt.make
@@ -0,0 +1,71 @@
+# -*-makefile-*-
+#
+# Copyright (C) 2019 by Bjoern Esser <bes@pengutronix.de>
+#
+# For further information about the PTXdist project and license conditions
+# see the README file.
+#
+
+#
+# We provide this package
+#
+PACKAGES-$(PTXCONF_LIBXCRYPT) += libxcrypt
+
+#
+# Paths and names
+#
+LIBXCRYPT_VERSION      := 4.4.28
+LIBXCRYPT_MD5          := 0b873e641ae201e5e7470cf791c0fe16
+LIBXCRYPT              := libxcrypt-$(LIBXCRYPT_VERSION)
+LIBXCRYPT_SUFFIX       := tar.xz
+LIBXCRYPT_URL          := https://github.com/besser82/libxcrypt/releases/download/v$(LIBXCRYPT_VERSION)/$(LIBXCRYPT).$(LIBXCRYPT_SUFFIX)
+LIBXCRYPT_SOURCE       := $(SRCDIR)/$(LIBXCRYPT).$(LIBXCRYPT_SUFFIX)
+LIBXCRYPT_DIR          := $(BUILDDIR)/$(LIBXCRYPT)
+LIBXCRYPT_LICENSE      := LGPL-2.1-or-later AND BSD-3-Clause AND BSD-2-Clause AND 0BSD AND public_domain
+LIBXCRYPT_LICENSE_MD5  := file://LICENSING;md5=3bb6614cf5880cbf1b9dbd9e3d145e2c
+
+# ----------------------------------------------------------------------------
+# Prepare
+# ----------------------------------------------------------------------------
+
+#
+# options
+#
+
+# Hash methods enabled by default.
+HASH_METHODS := glibc,strong
+
+#
+# autoconf
+#
+LIBXCRYPT_CONF_TOOL    := autoconf
+LIBXCRYPT_CONF_OPT     := \
+       $(CROSS_AUTOCONF_USR) \
+       --disable-failure-tokens \
+       --disable-static \
+       --disable-valgrind \
+       --enable-obsolete-api \
+       --enable-obsolete-api-enosys=$(call ptx/ifdef,PTXCONF_LIBXCRYPT_OBSOLETE_STUBS,yes,no) \
+       --enable-hashes=$(HASH_METHODS) \
+       --enable-xcrypt-compat-files
+
+# ----------------------------------------------------------------------------
+# Target-Install
+# ----------------------------------------------------------------------------
+
+$(STATEDIR)/libxcrypt.targetinstall:
+       @$(call targetinfo)
+
+       @$(call install_init, libxcrypt)
+       @$(call install_fixup, libxcrypt,PRIORITY,optional)
+       @$(call install_fixup, libxcrypt,SECTION,base)
+       @$(call install_fixup, libxcrypt,AUTHOR,"Bjoern Esser <bes@pengutronix.de>")
+       @$(call install_fixup, libxcrypt,DESCRIPTION,Extended crypt library)
+
+       @$(call install_lib, libxcrypt, 0, 0, 0644, libcrypt)
+
+       @$(call install_finish, libxcrypt)
+
+       @$(call touch)
+
+# vim: syntax=make
diff --git a/rules/uclibc.in b/rules/uclibc.in
index 1fa99eba5..39d8ca3d7 100644
--- a/rules/uclibc.in
+++ b/rules/uclibc.in
@@ -26,7 +26,8 @@ config UCLIBC_C
  
  config UCLIBC_CRYPT
         bool
-       prompt "Install libcrypt"
+       prompt "Install libcrypt" if LIBC_CRYPT_NATIVE_CRYPT
+       default no if !LIBC_CRYPT_NATIVE_CRYPT
         help
           The encryption/decryption library
  
-- 
2.34.1

[ptxdist] [PATCH v9] libxcrypt: new package

[Andreas Helmcke]

Also implement the needed logic to (optionally) replace
the libcrypt from the selected libc with libxcrypt.

libxcrypt is a modern library for one-way hashing of passwords.
It supports a wide variety of both modern and historical hashing
methods: yescrypt, gost-yescrypt, scrypt, bcrypt, sha512crypt,
sha256crypt, md5crypt, SunMD5, sha1crypt, NT, bsdicrypt, bigcrypt,
and descrypt. It provides the traditional Unix crypt and crypt_r
interfaces, as well as a set of extended interfaces pioneered by
Openwall Linux, crypt_rn, crypt_ra, crypt_gensalt, crypt_gensalt_rn,
and crypt_gensalt_ra.

libxcrypt is intended to be used by login(1), passwd(1), and other
similar programs; that is, to hash a small number of passwords
during an interactive authentication dialogue with a human.  It is
not suitable for use in bulk password-cracking applications, or in
any other situation where speed is more important than careful
handling of sensitive data.  However, it is intended to be fast and
lightweight enough for use in servers that must field thousands of
login attempts per minute.

Co-authored-by: Björn Esser <bes@pengutronix.de>
Signed-off-by: Björn Esser <bes@pengutronix.de>
Signed-off-by: Andreas Helmcke <ahelmcke@ela-soft.com>
---
v8 -> v9:
  - Update libxcrypt 4.4.24 -> 4.4.36
  - Rebased to current HEAD (90875f8a)
  - Updated Signed-off-by email-address

v7 -> v8:
  - Rebased to current HEAD
  - Updated commit message Co-authored-by and Signed-off-by lines.

v6 -> v7:
  - Applied the changes recommended by Michael Olbrich

v5 -> v6: (by Andreas Helmcke)
  - Updated commit message to properly address authors

v4 -> v5: (by Andreas Helmcke)
  - Update libxcrypt 4.4.10 -> 4.4.24
  - Changed download url to official tar, which does not need autoconf
  - Changed the config variable names to reflect menu structure
  - Corrected two typos

original work by Björn Esser :
v3 -> v4:
  - Update libxcrypt 4.4.9 -> 4.4.10

v2 -> v3:
  - Added 3 files that also needed minor adaptions and I forgot to add
    to the initial patch.

v1 -> v2:
  - Adapt the two remarks pointed out by Dennis Osterland

 rules/glibc.in       |  3 +-
 rules/libc.in        |  8 +++--
 rules/libxcrypt.in   | 42 ++++++++++++++++++++++++++
 rules/libxcrypt.make | 71 ++++++++++++++++++++++++++++++++++++++++++++
 rules/uclibc.in      |  3 +-
 5 files changed, 123 insertions(+), 4 deletions(-)
 create mode 100644 rules/libxcrypt.in
 create mode 100644 rules/libxcrypt.make

diff --git a/rules/glibc.in b/rules/glibc.in
index 2bcaa8893..67688ef49 100644
--- a/rules/glibc.in
+++ b/rules/glibc.in
@@ -99,7 +99,8 @@ config GLIBC_DL
 
 config GLIBC_CRYPT
 	bool
-	prompt "Install libcrypt"
+	prompt "Install libcrypt" if LIBC_CRYPT_NATIVE_CRYPT
+	default no if !LIBC_CRYPT_NATIVE_CRYPT
 	help
 	  The encryption/decryption library
 
diff --git a/rules/libc.in b/rules/libc.in
index f7d1d2be6..1ce26297d 100644
--- a/rules/libc.in
+++ b/rules/libc.in
@@ -27,6 +27,10 @@ choice
 		prompt "uClibc "
 endchoice
 
+config LIBC_CRYPT_NATIVE_CRYPT
+	bool
+	default !LIBXCRYPT
+
 source "generated/libc.in"
 
 endif
@@ -59,8 +63,8 @@ config LIBC_DL
 
 config LIBC_CRYPT
 	bool
-	select GLIBC_CRYPT		if LIBC_GLIBC
-	select UCLIBC_CRYPT		if LIBC_UCLIBC
+	select GLIBC_CRYPT		if LIBC_GLIBC && LIBC_CRYPT_NATIVE_CRYPT
+	select UCLIBC_CRYPT		if LIBC_UCLIBC && LIBC_CRYPT_NATIVE_CRYPT
 
 config LIBC_UTIL
 	bool
diff --git a/rules/libxcrypt.in b/rules/libxcrypt.in
new file mode 100644
index 000000000..01f9dd4b1
--- /dev/null
+++ b/rules/libxcrypt.in
@@ -0,0 +1,42 @@
+## SECTION=system_libraries
+
+menuconfig LIBXCRYPT
+	bool
+	prompt "libxcrypt                     "
+	help
+	  Extended crypt library for descrypt, md5crypt, bcrypt, and others.
+
+	  libxcrypt is a modern library for one-way hashing of passwords.
+	  It supports a wide variety of both modern and historical hashing
+	  methods: yescrypt, gost-yescrypt, scrypt, bcrypt, sha512crypt,
+	  sha256crypt, md5crypt, SunMD5, sha1crypt, NT, bsdicrypt, bigcrypt,
+	  and descrypt.  It provides the traditional Unix crypt and crypt_r
+	  interfaces, as well as a set of extended interfaces pioneered by
+	  Openwall Linux, crypt_rn, crypt_ra, crypt_gensalt,
+	  crypt_gensalt_rn, and crypt_gensalt_ra.
+
+	  libxcrypt is intended to be used by login(1), passwd(1), and other
+	  similar programs; that is, to hash a small number of passwords
+	  during an interactive authentication dialogue with a human.  It is
+	  not suitable for use in bulk password-cracking applications, or in
+	  any other situation where speed is more important than careful
+	  handling of sensitive data.  However, it is intended to be fast and
+	  lightweight enough for use in servers that must field thousands of
+	  login attempts per minute.
+
+if LIBXCRYPT
+
+config LIBXCRYPT_OBSOLETE_STUBS
+	bool
+	prompt "Replace obsolete functions with non-functional stubs"
+	help
+	  If enabled, this option replaces the obsolete APIs (fcrypt,
+	  encrypt{,_r}, and setkey{,_r}) with stubs that set errno to
+	  ENOSYS and return without performing any real operations.
+
+	  For security reasons, the encrypt{,r} functions will also
+	  overwrite their data-block argument with random bits.
+
+	  The fcrypt function will also always return NULL-pointer.
+
+endif
diff --git a/rules/libxcrypt.make b/rules/libxcrypt.make
new file mode 100644
index 000000000..e048968d0
--- /dev/null
+++ b/rules/libxcrypt.make
@@ -0,0 +1,71 @@
+# -*-makefile-*-
+#
+# Copyright (C) 2019 by Bjoern Esser <bes@pengutronix.de>
+#
+# For further information about the PTXdist project and license conditions
+# see the README file.
+#
+
+#
+# We provide this package
+#
+PACKAGES-$(PTXCONF_LIBXCRYPT) += libxcrypt
+
+#
+# Paths and names
+#
+LIBXCRYPT_VERSION	:= 4.4.36
+LIBXCRYPT_MD5		:= b84cd4104e08c975063ec6c4d0372446
+LIBXCRYPT		:= libxcrypt-$(LIBXCRYPT_VERSION)
+LIBXCRYPT_SUFFIX	:= tar.xz
+LIBXCRYPT_URL		:= https://github.com/besser82/libxcrypt/releases/download/v$(LIBXCRYPT_VERSION)/$(LIBXCRYPT).$(LIBXCRYPT_SUFFIX)
+LIBXCRYPT_SOURCE	:= $(SRCDIR)/$(LIBXCRYPT).$(LIBXCRYPT_SUFFIX)
+LIBXCRYPT_DIR		:= $(BUILDDIR)/$(LIBXCRYPT)
+LIBXCRYPT_LICENSE	:= LGPL-2.1-or-later AND BSD-3-Clause AND BSD-2-Clause AND 0BSD AND public_domain
+LIBXCRYPT_LICENSE_MD5	:= file://LICENSING;md5=3bb6614cf5880cbf1b9dbd9e3d145e2c
+
+# ----------------------------------------------------------------------------
+# Prepare
+# ----------------------------------------------------------------------------
+
+#
+# options
+#
+
+# Hash methods enabled by default.
+HASH_METHODS := glibc,strong
+
+#
+# autoconf
+#
+LIBXCRYPT_CONF_TOOL	:= autoconf
+LIBXCRYPT_CONF_OPT	:= \
+	$(CROSS_AUTOCONF_USR) \
+	--disable-failure-tokens \
+	--disable-static \
+	--disable-valgrind \
+	--enable-obsolete-api \
+	--enable-obsolete-api-enosys=$(call ptx/ifdef,PTXCONF_LIBXCRYPT_OBSOLETE_STUBS,yes,no) \
+	--enable-hashes=$(HASH_METHODS) \
+	--enable-xcrypt-compat-files
+
+# ----------------------------------------------------------------------------
+# Target-Install
+# ----------------------------------------------------------------------------
+
+$(STATEDIR)/libxcrypt.targetinstall:
+	@$(call targetinfo)
+
+	@$(call install_init, libxcrypt)
+	@$(call install_fixup, libxcrypt,PRIORITY,optional)
+	@$(call install_fixup, libxcrypt,SECTION,base)
+	@$(call install_fixup, libxcrypt,AUTHOR,"Bjoern Esser <bes@pengutronix.de>")
+	@$(call install_fixup, libxcrypt,DESCRIPTION,Extended crypt library)
+
+	@$(call install_lib, libxcrypt, 0, 0, 0644, libcrypt)
+
+	@$(call install_finish, libxcrypt)
+
+	@$(call touch)
+
+# vim: syntax=make
diff --git a/rules/uclibc.in b/rules/uclibc.in
index 1fa99eba5..39d8ca3d7 100644
--- a/rules/uclibc.in
+++ b/rules/uclibc.in
@@ -26,7 +26,8 @@ config UCLIBC_C
 
 config UCLIBC_CRYPT
 	bool
-	prompt "Install libcrypt"
+	prompt "Install libcrypt" if LIBC_CRYPT_NATIVE_CRYPT
+	default no if !LIBC_CRYPT_NATIVE_CRYPT
 	help
 	  The encryption/decryption library
 
-- 
2.39.2

Re: [ptxdist] [APPLIED] libxcrypt: new package

[Michael Olbrich]

Thanks, applied as a7d876d7f095a2ba80a7ccc24eb7ce9690ed0792.

Michael

[sent from post-receive hook]

On Fri, 10 Nov 2023 08:25:26 +0100, Andreas Helmcke <ahelmcke@ela-soft.com> wrote:
> Also implement the needed logic to (optionally) replace
> the libcrypt from the selected libc with libxcrypt.
> 
> libxcrypt is a modern library for one-way hashing of passwords.
> It supports a wide variety of both modern and historical hashing
> methods: yescrypt, gost-yescrypt, scrypt, bcrypt, sha512crypt,
> sha256crypt, md5crypt, SunMD5, sha1crypt, NT, bsdicrypt, bigcrypt,
> and descrypt. It provides the traditional Unix crypt and crypt_r
> interfaces, as well as a set of extended interfaces pioneered by
> Openwall Linux, crypt_rn, crypt_ra, crypt_gensalt, crypt_gensalt_rn,
> and crypt_gensalt_ra.
> 
> libxcrypt is intended to be used by login(1), passwd(1), and other
> similar programs; that is, to hash a small number of passwords
> during an interactive authentication dialogue with a human.  It is
> not suitable for use in bulk password-cracking applications, or in
> any other situation where speed is more important than careful
> handling of sensitive data.  However, it is intended to be fast and
> lightweight enough for use in servers that must field thousands of
> login attempts per minute.
> 
> Co-authored-by: Björn Esser <bes@pengutronix.de>
> Signed-off-by: Björn Esser <bes@pengutronix.de>
> Signed-off-by: Andreas Helmcke <ahelmcke@ela-soft.com>
> Message-Id: <358b0e0c-b888-41f1-a21f-f9fa4d15b0fc@ela-soft.com>
> [mol: only use it with glibc and add dependencies]
> Signed-off-by: Michael Olbrich <m.olbrich@pengutronix.de>
> 
> diff --git a/rules/glibc.in b/rules/glibc.in
> index 2bcaa8893e64..03847b2be916 100644
> --- a/rules/glibc.in
> +++ b/rules/glibc.in
> @@ -28,6 +28,13 @@ config GLIBC_2_34
>  	  libraries can still be selected explicitly here if necessary.
>  	  For example if legacy binaries link to such a library.
>  
> +config GLIBC_2_38
> +	bool
> +	prompt "glibc-2.38 or later"
> +	help
> +	  In glibc-2.38 libcrypt was deprecated and removed afterwards.
> +	  So libxcrypt is needed to provide the libcrypt implmentation.
> +
>  config GLIBC_LD
>  	bool
>  	help
> @@ -99,6 +106,7 @@ config GLIBC_DL
>  
>  config GLIBC_CRYPT
>  	bool
> +	depends on !GLIBC_2_38
>  	prompt "Install libcrypt"
>  	help
>  	  The encryption/decryption library
> diff --git a/rules/libc.in b/rules/libc.in
> index f7d1d2be6c17..34cf9900b714 100644
> --- a/rules/libc.in
> +++ b/rules/libc.in
> @@ -59,7 +59,10 @@ config LIBC_DL
>  
>  config LIBC_CRYPT
>  	bool
> -	select GLIBC_CRYPT		if LIBC_GLIBC
> +	select GLIBC_CRYPT		if LIBC_GLIBC && !GLIBC_2_38
> +	select LIBXCRYPT		if LIBC_GLIBC && GLIBC_2_38
> +	# use virtual here to propagate the dependency
> +	select VIRTUAL			if LIBC_GLIBC && GLIBC_2_38
>  	select UCLIBC_CRYPT		if LIBC_UCLIBC
>  
>  config LIBC_UTIL
> diff --git a/rules/libxcrypt.in b/rules/libxcrypt.in
> new file mode 100644
> index 000000000000..01f9dd4b15b0
> --- /dev/null
> +++ b/rules/libxcrypt.in
> @@ -0,0 +1,42 @@
> +## SECTION=system_libraries
> +
> +menuconfig LIBXCRYPT
> +	bool
> +	prompt "libxcrypt                     "
> +	help
> +	  Extended crypt library for descrypt, md5crypt, bcrypt, and others.
> +
> +	  libxcrypt is a modern library for one-way hashing of passwords.
> +	  It supports a wide variety of both modern and historical hashing
> +	  methods: yescrypt, gost-yescrypt, scrypt, bcrypt, sha512crypt,
> +	  sha256crypt, md5crypt, SunMD5, sha1crypt, NT, bsdicrypt, bigcrypt,
> +	  and descrypt.  It provides the traditional Unix crypt and crypt_r
> +	  interfaces, as well as a set of extended interfaces pioneered by
> +	  Openwall Linux, crypt_rn, crypt_ra, crypt_gensalt,
> +	  crypt_gensalt_rn, and crypt_gensalt_ra.
> +
> +	  libxcrypt is intended to be used by login(1), passwd(1), and other
> +	  similar programs; that is, to hash a small number of passwords
> +	  during an interactive authentication dialogue with a human.  It is
> +	  not suitable for use in bulk password-cracking applications, or in
> +	  any other situation where speed is more important than careful
> +	  handling of sensitive data.  However, it is intended to be fast and
> +	  lightweight enough for use in servers that must field thousands of
> +	  login attempts per minute.
> +
> +if LIBXCRYPT
> +
> +config LIBXCRYPT_OBSOLETE_STUBS
> +	bool
> +	prompt "Replace obsolete functions with non-functional stubs"
> +	help
> +	  If enabled, this option replaces the obsolete APIs (fcrypt,
> +	  encrypt{,_r}, and setkey{,_r}) with stubs that set errno to
> +	  ENOSYS and return without performing any real operations.
> +
> +	  For security reasons, the encrypt{,r} functions will also
> +	  overwrite their data-block argument with random bits.
> +
> +	  The fcrypt function will also always return NULL-pointer.
> +
> +endif
> diff --git a/rules/libxcrypt.make b/rules/libxcrypt.make
> new file mode 100644
> index 000000000000..e048968d0cc4
> --- /dev/null
> +++ b/rules/libxcrypt.make
> @@ -0,0 +1,71 @@
> +# -*-makefile-*-
> +#
> +# Copyright (C) 2019 by Bjoern Esser <bes@pengutronix.de>
> +#
> +# For further information about the PTXdist project and license conditions
> +# see the README file.
> +#
> +
> +#
> +# We provide this package
> +#
> +PACKAGES-$(PTXCONF_LIBXCRYPT) += libxcrypt
> +
> +#
> +# Paths and names
> +#
> +LIBXCRYPT_VERSION	:= 4.4.36
> +LIBXCRYPT_MD5		:= b84cd4104e08c975063ec6c4d0372446
> +LIBXCRYPT		:= libxcrypt-$(LIBXCRYPT_VERSION)
> +LIBXCRYPT_SUFFIX	:= tar.xz
> +LIBXCRYPT_URL		:= https://github.com/besser82/libxcrypt/releases/download/v$(LIBXCRYPT_VERSION)/$(LIBXCRYPT).$(LIBXCRYPT_SUFFIX)
> +LIBXCRYPT_SOURCE	:= $(SRCDIR)/$(LIBXCRYPT).$(LIBXCRYPT_SUFFIX)
> +LIBXCRYPT_DIR		:= $(BUILDDIR)/$(LIBXCRYPT)
> +LIBXCRYPT_LICENSE	:= LGPL-2.1-or-later AND BSD-3-Clause AND BSD-2-Clause AND 0BSD AND public_domain
> +LIBXCRYPT_LICENSE_MD5	:= file://LICENSING;md5=3bb6614cf5880cbf1b9dbd9e3d145e2c
> +
> +# ----------------------------------------------------------------------------
> +# Prepare
> +# ----------------------------------------------------------------------------
> +
> +#
> +# options
> +#
> +
> +# Hash methods enabled by default.
> +HASH_METHODS := glibc,strong
> +
> +#
> +# autoconf
> +#
> +LIBXCRYPT_CONF_TOOL	:= autoconf
> +LIBXCRYPT_CONF_OPT	:= \
> +	$(CROSS_AUTOCONF_USR) \
> +	--disable-failure-tokens \
> +	--disable-static \
> +	--disable-valgrind \
> +	--enable-obsolete-api \
> +	--enable-obsolete-api-enosys=$(call ptx/ifdef,PTXCONF_LIBXCRYPT_OBSOLETE_STUBS,yes,no) \
> +	--enable-hashes=$(HASH_METHODS) \
> +	--enable-xcrypt-compat-files
> +
> +# ----------------------------------------------------------------------------
> +# Target-Install
> +# ----------------------------------------------------------------------------
> +
> +$(STATEDIR)/libxcrypt.targetinstall:
> +	@$(call targetinfo)
> +
> +	@$(call install_init, libxcrypt)
> +	@$(call install_fixup, libxcrypt,PRIORITY,optional)
> +	@$(call install_fixup, libxcrypt,SECTION,base)
> +	@$(call install_fixup, libxcrypt,AUTHOR,"Bjoern Esser <bes@pengutronix.de>")
> +	@$(call install_fixup, libxcrypt,DESCRIPTION,Extended crypt library)
> +
> +	@$(call install_lib, libxcrypt, 0, 0, 0644, libcrypt)
> +
> +	@$(call install_finish, libxcrypt)
> +
> +	@$(call touch)
> +
> +# vim: syntax=make

Re: [ptxdist] [PATCH v9] libxcrypt: new package

[Michael Olbrich]

On Mon, Oct 16, 2023 at 07:01:59PM +0200, Andreas Helmcke wrote:
> Also implement the needed logic to (optionally) replace
> the libcrypt from the selected libc with libxcrypt.
> 
> libxcrypt is a modern library for one-way hashing of passwords.
> It supports a wide variety of both modern and historical hashing
> methods: yescrypt, gost-yescrypt, scrypt, bcrypt, sha512crypt,
> sha256crypt, md5crypt, SunMD5, sha1crypt, NT, bsdicrypt, bigcrypt,
> and descrypt. It provides the traditional Unix crypt and crypt_r
> interfaces, as well as a set of extended interfaces pioneered by
> Openwall Linux, crypt_rn, crypt_ra, crypt_gensalt, crypt_gensalt_rn,
> and crypt_gensalt_ra.
> 
> libxcrypt is intended to be used by login(1), passwd(1), and other
> similar programs; that is, to hash a small number of passwords
> during an interactive authentication dialogue with a human.  It is
> not suitable for use in bulk password-cracking applications, or in
> any other situation where speed is more important than careful
> handling of sensitive data.  However, it is intended to be fast and
> lightweight enough for use in servers that must field thousands of
> login attempts per minute.
> 
> Co-authored-by: Björn Esser <bes@pengutronix.de>
> Signed-off-by: Björn Esser <bes@pengutronix.de>
> Signed-off-by: Andreas Helmcke <ahelmcke@ela-soft.com>

Fyi, I made some modifications to this: I don't think combining xcrypt with
uclibc makes sense, so I dropped that. And I added the proper dependencies
to make sure libxcrypt is built first. This is not yet relevant, but with a
newer glibc where libcrypt is entirely gone, this will be necessary.

Michael

> ---
> v8 -> v9:
>   - Update libxcrypt 4.4.24 -> 4.4.36
>   - Rebased to current HEAD (90875f8a)
>   - Updated Signed-off-by email-address
> 
> v7 -> v8:
>   - Rebased to current HEAD
>   - Updated commit message Co-authored-by and Signed-off-by lines.
> 
> v6 -> v7:
>   - Applied the changes recommended by Michael Olbrich
> 
> v5 -> v6: (by Andreas Helmcke)
>   - Updated commit message to properly address authors
> 
> v4 -> v5: (by Andreas Helmcke)
>   - Update libxcrypt 4.4.10 -> 4.4.24
>   - Changed download url to official tar, which does not need autoconf
>   - Changed the config variable names to reflect menu structure
>   - Corrected two typos
> 
> original work by Björn Esser :
> v3 -> v4:
>   - Update libxcrypt 4.4.9 -> 4.4.10
> 
> v2 -> v3:
>   - Added 3 files that also needed minor adaptions and I forgot to add
>     to the initial patch.
> 
> v1 -> v2:
>   - Adapt the two remarks pointed out by Dennis Osterland
> 
>  rules/glibc.in       |  3 +-
>  rules/libc.in        |  8 +++--
>  rules/libxcrypt.in   | 42 ++++++++++++++++++++++++++
>  rules/libxcrypt.make | 71 ++++++++++++++++++++++++++++++++++++++++++++
>  rules/uclibc.in      |  3 +-
>  5 files changed, 123 insertions(+), 4 deletions(-)
>  create mode 100644 rules/libxcrypt.in
>  create mode 100644 rules/libxcrypt.make
> 
> diff --git a/rules/glibc.in b/rules/glibc.in
> index 2bcaa8893..67688ef49 100644
> --- a/rules/glibc.in
> +++ b/rules/glibc.in
> @@ -99,7 +99,8 @@ config GLIBC_DL
>  
>  config GLIBC_CRYPT
>  	bool
> -	prompt "Install libcrypt"
> +	prompt "Install libcrypt" if LIBC_CRYPT_NATIVE_CRYPT
> +	default no if !LIBC_CRYPT_NATIVE_CRYPT
>  	help
>  	  The encryption/decryption library
>  
> diff --git a/rules/libc.in b/rules/libc.in
> index f7d1d2be6..1ce26297d 100644
> --- a/rules/libc.in
> +++ b/rules/libc.in
> @@ -27,6 +27,10 @@ choice
>  		prompt "uClibc "
>  endchoice
>  
> +config LIBC_CRYPT_NATIVE_CRYPT
> +	bool
> +	default !LIBXCRYPT
> +
>  source "generated/libc.in"
>  
>  endif
> @@ -59,8 +63,8 @@ config LIBC_DL
>  
>  config LIBC_CRYPT
>  	bool
> -	select GLIBC_CRYPT		if LIBC_GLIBC
> -	select UCLIBC_CRYPT		if LIBC_UCLIBC
> +	select GLIBC_CRYPT		if LIBC_GLIBC && LIBC_CRYPT_NATIVE_CRYPT
> +	select UCLIBC_CRYPT		if LIBC_UCLIBC && LIBC_CRYPT_NATIVE_CRYPT
>  
>  config LIBC_UTIL
>  	bool
> diff --git a/rules/libxcrypt.in b/rules/libxcrypt.in
> new file mode 100644
> index 000000000..01f9dd4b1
> --- /dev/null
> +++ b/rules/libxcrypt.in
> @@ -0,0 +1,42 @@
> +## SECTION=system_libraries
> +
> +menuconfig LIBXCRYPT
> +	bool
> +	prompt "libxcrypt                     "
> +	help
> +	  Extended crypt library for descrypt, md5crypt, bcrypt, and others.
> +
> +	  libxcrypt is a modern library for one-way hashing of passwords.
> +	  It supports a wide variety of both modern and historical hashing
> +	  methods: yescrypt, gost-yescrypt, scrypt, bcrypt, sha512crypt,
> +	  sha256crypt, md5crypt, SunMD5, sha1crypt, NT, bsdicrypt, bigcrypt,
> +	  and descrypt.  It provides the traditional Unix crypt and crypt_r
> +	  interfaces, as well as a set of extended interfaces pioneered by
> +	  Openwall Linux, crypt_rn, crypt_ra, crypt_gensalt,
> +	  crypt_gensalt_rn, and crypt_gensalt_ra.
> +
> +	  libxcrypt is intended to be used by login(1), passwd(1), and other
> +	  similar programs; that is, to hash a small number of passwords
> +	  during an interactive authentication dialogue with a human.  It is
> +	  not suitable for use in bulk password-cracking applications, or in
> +	  any other situation where speed is more important than careful
> +	  handling of sensitive data.  However, it is intended to be fast and
> +	  lightweight enough for use in servers that must field thousands of
> +	  login attempts per minute.
> +
> +if LIBXCRYPT
> +
> +config LIBXCRYPT_OBSOLETE_STUBS
> +	bool
> +	prompt "Replace obsolete functions with non-functional stubs"
> +	help
> +	  If enabled, this option replaces the obsolete APIs (fcrypt,
> +	  encrypt{,_r}, and setkey{,_r}) with stubs that set errno to
> +	  ENOSYS and return without performing any real operations.
> +
> +	  For security reasons, the encrypt{,r} functions will also
> +	  overwrite their data-block argument with random bits.
> +
> +	  The fcrypt function will also always return NULL-pointer.
> +
> +endif
> diff --git a/rules/libxcrypt.make b/rules/libxcrypt.make
> new file mode 100644
> index 000000000..e048968d0
> --- /dev/null
> +++ b/rules/libxcrypt.make
> @@ -0,0 +1,71 @@
> +# -*-makefile-*-
> +#
> +# Copyright (C) 2019 by Bjoern Esser <bes@pengutronix.de>
> +#
> +# For further information about the PTXdist project and license conditions
> +# see the README file.
> +#
> +
> +#
> +# We provide this package
> +#
> +PACKAGES-$(PTXCONF_LIBXCRYPT) += libxcrypt
> +
> +#
> +# Paths and names
> +#
> +LIBXCRYPT_VERSION	:= 4.4.36
> +LIBXCRYPT_MD5		:= b84cd4104e08c975063ec6c4d0372446
> +LIBXCRYPT		:= libxcrypt-$(LIBXCRYPT_VERSION)
> +LIBXCRYPT_SUFFIX	:= tar.xz
> +LIBXCRYPT_URL		:= https://github.com/besser82/libxcrypt/releases/download/v$(LIBXCRYPT_VERSION)/$(LIBXCRYPT).$(LIBXCRYPT_SUFFIX)
> +LIBXCRYPT_SOURCE	:= $(SRCDIR)/$(LIBXCRYPT).$(LIBXCRYPT_SUFFIX)
> +LIBXCRYPT_DIR		:= $(BUILDDIR)/$(LIBXCRYPT)
> +LIBXCRYPT_LICENSE	:= LGPL-2.1-or-later AND BSD-3-Clause AND BSD-2-Clause AND 0BSD AND public_domain
> +LIBXCRYPT_LICENSE_MD5	:= file://LICENSING;md5=3bb6614cf5880cbf1b9dbd9e3d145e2c
> +
> +# ----------------------------------------------------------------------------
> +# Prepare
> +# ----------------------------------------------------------------------------
> +
> +#
> +# options
> +#
> +
> +# Hash methods enabled by default.
> +HASH_METHODS := glibc,strong
> +
> +#
> +# autoconf
> +#
> +LIBXCRYPT_CONF_TOOL	:= autoconf
> +LIBXCRYPT_CONF_OPT	:= \
> +	$(CROSS_AUTOCONF_USR) \
> +	--disable-failure-tokens \
> +	--disable-static \
> +	--disable-valgrind \
> +	--enable-obsolete-api \
> +	--enable-obsolete-api-enosys=$(call ptx/ifdef,PTXCONF_LIBXCRYPT_OBSOLETE_STUBS,yes,no) \
> +	--enable-hashes=$(HASH_METHODS) \
> +	--enable-xcrypt-compat-files
> +
> +# ----------------------------------------------------------------------------
> +# Target-Install
> +# ----------------------------------------------------------------------------
> +
> +$(STATEDIR)/libxcrypt.targetinstall:
> +	@$(call targetinfo)
> +
> +	@$(call install_init, libxcrypt)
> +	@$(call install_fixup, libxcrypt,PRIORITY,optional)
> +	@$(call install_fixup, libxcrypt,SECTION,base)
> +	@$(call install_fixup, libxcrypt,AUTHOR,"Bjoern Esser <bes@pengutronix.de>")
> +	@$(call install_fixup, libxcrypt,DESCRIPTION,Extended crypt library)
> +
> +	@$(call install_lib, libxcrypt, 0, 0, 0644, libcrypt)
> +
> +	@$(call install_finish, libxcrypt)
> +
> +	@$(call touch)
> +
> +# vim: syntax=make
> diff --git a/rules/uclibc.in b/rules/uclibc.in
> index 1fa99eba5..39d8ca3d7 100644
> --- a/rules/uclibc.in
> +++ b/rules/uclibc.in
> @@ -26,7 +26,8 @@ config UCLIBC_C
>  
>  config UCLIBC_CRYPT
>  	bool
> -	prompt "Install libcrypt"
> +	prompt "Install libcrypt" if LIBC_CRYPT_NATIVE_CRYPT
> +	default no if !LIBC_CRYPT_NATIVE_CRYPT
>  	help
>  	  The encryption/decryption library
>  
> -- 
> 2.39.2
> 
> 
> 
> 

-- 
Pengutronix e.K.                           |                             |
Steuerwalder Str. 21                       | http://www.pengutronix.de/  |
31137 Hildesheim, Germany                  | Phone: +49-5121-206917-0    |
Amtsgericht Hildesheim, HRA 2686           | Fax:   +49-5121-206917-5555 |