Re: [ptxdist] [PATCH v9] libxcrypt: new package

[Michael Olbrich <m.olbrich@pengutronix.de>]

On Mon, Oct 16, 2023 at 07:01:59PM +0200, Andreas Helmcke wrote:
> Also implement the needed logic to (optionally) replace
> the libcrypt from the selected libc with libxcrypt.
> 
> libxcrypt is a modern library for one-way hashing of passwords.
> It supports a wide variety of both modern and historical hashing
> methods: yescrypt, gost-yescrypt, scrypt, bcrypt, sha512crypt,
> sha256crypt, md5crypt, SunMD5, sha1crypt, NT, bsdicrypt, bigcrypt,
> and descrypt. It provides the traditional Unix crypt and crypt_r
> interfaces, as well as a set of extended interfaces pioneered by
> Openwall Linux, crypt_rn, crypt_ra, crypt_gensalt, crypt_gensalt_rn,
> and crypt_gensalt_ra.
> 
> libxcrypt is intended to be used by login(1), passwd(1), and other
> similar programs; that is, to hash a small number of passwords
> during an interactive authentication dialogue with a human.  It is
> not suitable for use in bulk password-cracking applications, or in
> any other situation where speed is more important than careful
> handling of sensitive data.  However, it is intended to be fast and
> lightweight enough for use in servers that must field thousands of
> login attempts per minute.
> 
> Co-authored-by: Björn Esser <bes@pengutronix.de>
> Signed-off-by: Björn Esser <bes@pengutronix.de>
> Signed-off-by: Andreas Helmcke <ahelmcke@ela-soft.com>

Fyi, I made some modifications to this: I don't think combining xcrypt with
uclibc makes sense, so I dropped that. And I added the proper dependencies
to make sure libxcrypt is built first. This is not yet relevant, but with a
newer glibc where libcrypt is entirely gone, this will be necessary.

Michael

> ---
> v8 -> v9:
>   - Update libxcrypt 4.4.24 -> 4.4.36
>   - Rebased to current HEAD (90875f8a)
>   - Updated Signed-off-by email-address
> 
> v7 -> v8:
>   - Rebased to current HEAD
>   - Updated commit message Co-authored-by and Signed-off-by lines.
> 
> v6 -> v7:
>   - Applied the changes recommended by Michael Olbrich
> 
> v5 -> v6: (by Andreas Helmcke)
>   - Updated commit message to properly address authors
> 
> v4 -> v5: (by Andreas Helmcke)
>   - Update libxcrypt 4.4.10 -> 4.4.24
>   - Changed download url to official tar, which does not need autoconf
>   - Changed the config variable names to reflect menu structure
>   - Corrected two typos
> 
> original work by Björn Esser :
> v3 -> v4:
>   - Update libxcrypt 4.4.9 -> 4.4.10
> 
> v2 -> v3:
>   - Added 3 files that also needed minor adaptions and I forgot to add
>     to the initial patch.
> 
> v1 -> v2:
>   - Adapt the two remarks pointed out by Dennis Osterland
> 
>  rules/glibc.in       |  3 +-
>  rules/libc.in        |  8 +++--
>  rules/libxcrypt.in   | 42 ++++++++++++++++++++++++++
>  rules/libxcrypt.make | 71 ++++++++++++++++++++++++++++++++++++++++++++
>  rules/uclibc.in      |  3 +-
>  5 files changed, 123 insertions(+), 4 deletions(-)
>  create mode 100644 rules/libxcrypt.in
>  create mode 100644 rules/libxcrypt.make
> 
> diff --git a/rules/glibc.in b/rules/glibc.in
> index 2bcaa8893..67688ef49 100644
> --- a/rules/glibc.in
> +++ b/rules/glibc.in
> @@ -99,7 +99,8 @@ config GLIBC_DL
>  
>  config GLIBC_CRYPT
>  	bool
> -	prompt "Install libcrypt"
> +	prompt "Install libcrypt" if LIBC_CRYPT_NATIVE_CRYPT
> +	default no if !LIBC_CRYPT_NATIVE_CRYPT
>  	help
>  	  The encryption/decryption library
>  
> diff --git a/rules/libc.in b/rules/libc.in
> index f7d1d2be6..1ce26297d 100644
> --- a/rules/libc.in
> +++ b/rules/libc.in
> @@ -27,6 +27,10 @@ choice
>  		prompt "uClibc "
>  endchoice
>  
> +config LIBC_CRYPT_NATIVE_CRYPT
> +	bool
> +	default !LIBXCRYPT
> +
>  source "generated/libc.in"
>  
>  endif
> @@ -59,8 +63,8 @@ config LIBC_DL
>  
>  config LIBC_CRYPT
>  	bool
> -	select GLIBC_CRYPT		if LIBC_GLIBC
> -	select UCLIBC_CRYPT		if LIBC_UCLIBC
> +	select GLIBC_CRYPT		if LIBC_GLIBC && LIBC_CRYPT_NATIVE_CRYPT
> +	select UCLIBC_CRYPT		if LIBC_UCLIBC && LIBC_CRYPT_NATIVE_CRYPT
>  
>  config LIBC_UTIL
>  	bool
> diff --git a/rules/libxcrypt.in b/rules/libxcrypt.in
> new file mode 100644
> index 000000000..01f9dd4b1
> --- /dev/null
> +++ b/rules/libxcrypt.in
> @@ -0,0 +1,42 @@
> +## SECTION=system_libraries
> +
> +menuconfig LIBXCRYPT
> +	bool
> +	prompt "libxcrypt                     "
> +	help
> +	  Extended crypt library for descrypt, md5crypt, bcrypt, and others.
> +
> +	  libxcrypt is a modern library for one-way hashing of passwords.
> +	  It supports a wide variety of both modern and historical hashing
> +	  methods: yescrypt, gost-yescrypt, scrypt, bcrypt, sha512crypt,
> +	  sha256crypt, md5crypt, SunMD5, sha1crypt, NT, bsdicrypt, bigcrypt,
> +	  and descrypt.  It provides the traditional Unix crypt and crypt_r
> +	  interfaces, as well as a set of extended interfaces pioneered by
> +	  Openwall Linux, crypt_rn, crypt_ra, crypt_gensalt,
> +	  crypt_gensalt_rn, and crypt_gensalt_ra.
> +
> +	  libxcrypt is intended to be used by login(1), passwd(1), and other
> +	  similar programs; that is, to hash a small number of passwords
> +	  during an interactive authentication dialogue with a human.  It is
> +	  not suitable for use in bulk password-cracking applications, or in
> +	  any other situation where speed is more important than careful
> +	  handling of sensitive data.  However, it is intended to be fast and
> +	  lightweight enough for use in servers that must field thousands of
> +	  login attempts per minute.
> +
> +if LIBXCRYPT
> +
> +config LIBXCRYPT_OBSOLETE_STUBS
> +	bool
> +	prompt "Replace obsolete functions with non-functional stubs"
> +	help
> +	  If enabled, this option replaces the obsolete APIs (fcrypt,
> +	  encrypt{,_r}, and setkey{,_r}) with stubs that set errno to
> +	  ENOSYS and return without performing any real operations.
> +
> +	  For security reasons, the encrypt{,r} functions will also
> +	  overwrite their data-block argument with random bits.
> +
> +	  The fcrypt function will also always return NULL-pointer.
> +
> +endif
> diff --git a/rules/libxcrypt.make b/rules/libxcrypt.make
> new file mode 100644
> index 000000000..e048968d0
> --- /dev/null
> +++ b/rules/libxcrypt.make
> @@ -0,0 +1,71 @@
> +# -*-makefile-*-
> +#
> +# Copyright (C) 2019 by Bjoern Esser <bes@pengutronix.de>
> +#
> +# For further information about the PTXdist project and license conditions
> +# see the README file.
> +#
> +
> +#
> +# We provide this package
> +#
> +PACKAGES-$(PTXCONF_LIBXCRYPT) += libxcrypt
> +
> +#
> +# Paths and names
> +#
> +LIBXCRYPT_VERSION	:= 4.4.36
> +LIBXCRYPT_MD5		:= b84cd4104e08c975063ec6c4d0372446
> +LIBXCRYPT		:= libxcrypt-$(LIBXCRYPT_VERSION)
> +LIBXCRYPT_SUFFIX	:= tar.xz
> +LIBXCRYPT_URL		:= https://github.com/besser82/libxcrypt/releases/download/v$(LIBXCRYPT_VERSION)/$(LIBXCRYPT).$(LIBXCRYPT_SUFFIX)
> +LIBXCRYPT_SOURCE	:= $(SRCDIR)/$(LIBXCRYPT).$(LIBXCRYPT_SUFFIX)
> +LIBXCRYPT_DIR		:= $(BUILDDIR)/$(LIBXCRYPT)
> +LIBXCRYPT_LICENSE	:= LGPL-2.1-or-later AND BSD-3-Clause AND BSD-2-Clause AND 0BSD AND public_domain
> +LIBXCRYPT_LICENSE_MD5	:= file://LICENSING;md5=3bb6614cf5880cbf1b9dbd9e3d145e2c
> +
> +# ----------------------------------------------------------------------------
> +# Prepare
> +# ----------------------------------------------------------------------------
> +
> +#
> +# options
> +#
> +
> +# Hash methods enabled by default.
> +HASH_METHODS := glibc,strong
> +
> +#
> +# autoconf
> +#
> +LIBXCRYPT_CONF_TOOL	:= autoconf
> +LIBXCRYPT_CONF_OPT	:= \
> +	$(CROSS_AUTOCONF_USR) \
> +	--disable-failure-tokens \
> +	--disable-static \
> +	--disable-valgrind \
> +	--enable-obsolete-api \
> +	--enable-obsolete-api-enosys=$(call ptx/ifdef,PTXCONF_LIBXCRYPT_OBSOLETE_STUBS,yes,no) \
> +	--enable-hashes=$(HASH_METHODS) \
> +	--enable-xcrypt-compat-files
> +
> +# ----------------------------------------------------------------------------
> +# Target-Install
> +# ----------------------------------------------------------------------------
> +
> +$(STATEDIR)/libxcrypt.targetinstall:
> +	@$(call targetinfo)
> +
> +	@$(call install_init, libxcrypt)
> +	@$(call install_fixup, libxcrypt,PRIORITY,optional)
> +	@$(call install_fixup, libxcrypt,SECTION,base)
> +	@$(call install_fixup, libxcrypt,AUTHOR,"Bjoern Esser <bes@pengutronix.de>")
> +	@$(call install_fixup, libxcrypt,DESCRIPTION,Extended crypt library)
> +
> +	@$(call install_lib, libxcrypt, 0, 0, 0644, libcrypt)
> +
> +	@$(call install_finish, libxcrypt)
> +
> +	@$(call touch)
> +
> +# vim: syntax=make
> diff --git a/rules/uclibc.in b/rules/uclibc.in
> index 1fa99eba5..39d8ca3d7 100644
> --- a/rules/uclibc.in
> +++ b/rules/uclibc.in
> @@ -26,7 +26,8 @@ config UCLIBC_C
>  
>  config UCLIBC_CRYPT
>  	bool
> -	prompt "Install libcrypt"
> +	prompt "Install libcrypt" if LIBC_CRYPT_NATIVE_CRYPT
> +	default no if !LIBC_CRYPT_NATIVE_CRYPT
>  	help
>  	  The encryption/decryption library
>  
> -- 
> 2.39.2
> 
> 
> 
> 

-- 
Pengutronix e.K.                           |                             |
Steuerwalder Str. 21                       | http://www.pengutronix.de/  |
31137 Hildesheim, Germany                  | Phone: +49-5121-206917-0    |
Amtsgericht Hildesheim, HRA 2686           | Fax:   +49-5121-206917-5555 |