From mboxrd@z Thu Jan 1 00:00:00 1970 Delivery-date: Fri, 06 May 2022 13:27:49 +0200 Received: from metis.ext.pengutronix.de ([2001:67c:670:201:290:27ff:fe1d:cc33]) by lore.white.stw.pengutronix.de with esmtps (TLS1.3) tls TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 (Exim 4.94.2) (envelope-from ) id 1nmw7h-003g7o-Fk for lore@lore.pengutronix.de; Fri, 06 May 2022 13:27:49 +0200 Received: from localhost ([127.0.0.1] helo=metis.ext.pengutronix.de) by metis.ext.pengutronix.de with esmtp (Exim 4.92) (envelope-from ) id 1nmw7g-0007u4-Sa; Fri, 06 May 2022 13:27:48 +0200 Received: from dd49822.kasserver.com ([85.13.133.67]) by metis.ext.pengutronix.de with esmtps (TLS1.3:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.92) (envelope-from ) id 1nmw7U-0007sa-VT; Fri, 06 May 2022 13:27:37 +0200 Received: from [10.0.0.47] (business-90-187-50-69.pool2.vodafone-ip.de [90.187.50.69]) by dd49822.kasserver.com (Postfix) with ESMTPSA id 1AF0D6040472; Fri, 6 May 2022 13:27:36 +0200 (CEST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=helmcke.name; s=kas202111281029; t=1651836456; bh=oc5Wz9zw+sMhP72pMs5h5+ftMpwJjKxPxLumhZmI+aw=; h=Date:Subject:To:References:From:Cc:In-Reply-To:From; b=VRACQd4k6Pzuoh8OTMBdc6SF0h20gvMp9aQTznGcn1DrYcz5gXuCnZuthQV0EoT72 +7i+FyOvSYsB5+Au2J/m+xyqQXftQSUGRJMdZxYsxxy7STO/tcKR05/lGTxhGPlLUo 0GPiRJ2m9Edhs8WQDLsOdjz1qPnLjYy5rwKH03CRNkwAOC84bnQ+W/TFthkCrbrGk2 TAgGq7qeDPqzxpCyuXESUMalo/YmMnpY6S0nM1v0Ug7UiotqLI/F9nPxid2oF9ddbM ZpkcTV79Us1PsTBUrhjzwXsLFIFkKZVjzpoCX9JjTeyqNODOpxkshp1MmbwGIHMyZ1 b6Q1NSm0UNM3A== Message-ID: Date: Fri, 6 May 2022 13:27:35 +0200 MIME-Version: 1.0 User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:91.0) Gecko/20100101 Thunderbird/91.9.0 Content-Language: en-US To: ptxdist@pengutronix.de References: <6c96f889fd74c14b7153d621e46cc1248ddfc0cb.camel@pengutronix.de> <20190923100706.1994-1-b.esser@pengutronix.de> From: Andreas Helmcke In-Reply-To: Content-Type: text/plain; charset=UTF-8; format=flowed Content-Transfer-Encoding: 8bit X-Spam-Checker-Version: SpamAssassin 3.4.2 (2018-09-13) on metis.ext.pengutronix.de X-Spam-Level: X-Spam-Status: No, score=-3.7 required=4.0 tests=AWL,BAYES_00,DKIM_SIGNED, DKIM_VALID,DKIM_VALID_AU,DKIM_VALID_EF,SPF_HELO_NONE,SPF_NONE, T_SCC_BODY_TEXT_LINE autolearn=ham autolearn_force=no version=3.4.2 Subject: [ptxdist] [PATCH v7] libxcrypt: new package X-BeenThere: ptxdist@pengutronix.de X-Mailman-Version: 2.1.29 Precedence: list List-Id: PTXdist Development Mailing List List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Reply-To: ptxdist@pengutronix.de Cc: m.olbrich@pengutronix.de Sender: "ptxdist" X-SA-Exim-Connect-IP: 127.0.0.1 X-SA-Exim-Mail-From: ptxdist-bounces@pengutronix.de X-SA-Exim-Scanned: No (on metis.ext.pengutronix.de); SAEximRunCond expanded to false Also implement the needed logic to (optionally) replace the libcrypt from the selected libc with libxcrypt. libxcrypt is a modern library for one-way hashing of passwords. It supports a wide variety of both modern and historical hashing methods: yescrypt, gost-yescrypt, scrypt, bcrypt, sha512crypt, sha256crypt, md5crypt, SunMD5, sha1crypt, NT, bsdicrypt, bigcrypt, and descrypt. It provides the traditional Unix crypt and crypt_r interfaces, as well as a set of extended interfaces pioneered by Openwall Linux, crypt_rn, crypt_ra, crypt_gensalt, crypt_gensalt_rn, and crypt_gensalt_ra. libxcrypt is intended to be used by login(1), passwd(1), and other similar programs; that is, to hash a small number of passwords during an interactive authentication dialogue with a human. It is not suitable for use in bulk password-cracking applications, or in any other situation where speed is more important than careful handling of sensitive data. However, it is intended to be fast and lightweight enough for use in servers that must field thousands of login attempts per minute. Co-authored-by: Andreas Helmcke Signed-off-by: Andreas Helmcke Signed-off-by: Björn Esser --- v6 -> v7: - Applied the changes recommend by Michael Olbrich v5 -> v6: (by Andreas Helmcke) - Updated commit message to properly address authors v4 -> v5: (by Andreas Helmcke) - Update libxcrypt 4.4.10 -> 4.4.24 - Changed download url to official tar, which does not need autoconf - Changed the config variable names to reflect menu structure - Corrected two typos original work by Björn Esser : v3 -> v4: - Update libxcrypt 4.4.9 -> 4.4.10 v2 -> v3: - Added 3 files that also needed minor adaptions and I forgot to add to the initial patch. v1 -> v2: - Adapt the two remarks pointed out by Dennis Osterland rules/glibc.in | 3 +- rules/libc.in | 8 +++-- rules/libxcrypt.in | 42 ++++++++++++++++++++++++++ rules/libxcrypt.make | 71 ++++++++++++++++++++++++++++++++++++++++++++ rules/uclibc.in | 3 +- 5 files changed, 123 insertions(+), 4 deletions(-) create mode 100644 rules/libxcrypt.in create mode 100644 rules/libxcrypt.make diff --git a/rules/glibc.in b/rules/glibc.in index 16e5e84d1..e574bc8f0 100644 --- a/rules/glibc.in +++ b/rules/glibc.in @@ -81,7 +81,8 @@ config GLIBC_DL config GLIBC_CRYPT bool - prompt "Install libcrypt" + prompt "Install libcrypt" if LIBC_CRYPT_NATIVE_CRYPT + default no if !LIBC_CRYPT_NATIVE_CRYPT help The encryption/decryption library diff --git a/rules/libc.in b/rules/libc.in index 1614affd9..f2e56fa62 100644 --- a/rules/libc.in +++ b/rules/libc.in @@ -27,6 +27,10 @@ choice prompt "uClibc " endchoice +config LIBC_CRYPT_NATIVE_CRYPT + bool + default !LIBXCRYPT + source "generated/libc.in" endif @@ -59,8 +63,8 @@ config LIBC_DL config LIBC_CRYPT bool - select GLIBC_CRYPT if LIBC_GLIBC - select UCLIBC_CRYPT if LIBC_UCLIBC + select GLIBC_CRYPT if LIBC_GLIBC && LIBC_CRYPT_NATIVE_CRYPT + select UCLIBC_CRYPT if LIBC_UCLIBC && LIBC_CRYPT_NATIVE_CRYPT config LIBC_UTIL bool diff --git a/rules/libxcrypt.in b/rules/libxcrypt.in new file mode 100644 index 000000000..01f9dd4b1 --- /dev/null +++ b/rules/libxcrypt.in @@ -0,0 +1,42 @@ +## SECTION=system_libraries + +menuconfig LIBXCRYPT + bool + prompt "libxcrypt " + help + Extended crypt library for descrypt, md5crypt, bcrypt, and others. + + libxcrypt is a modern library for one-way hashing of passwords. + It supports a wide variety of both modern and historical hashing + methods: yescrypt, gost-yescrypt, scrypt, bcrypt, sha512crypt, + sha256crypt, md5crypt, SunMD5, sha1crypt, NT, bsdicrypt, bigcrypt, + and descrypt. It provides the traditional Unix crypt and crypt_r + interfaces, as well as a set of extended interfaces pioneered by + Openwall Linux, crypt_rn, crypt_ra, crypt_gensalt, + crypt_gensalt_rn, and crypt_gensalt_ra. + + libxcrypt is intended to be used by login(1), passwd(1), and other + similar programs; that is, to hash a small number of passwords + during an interactive authentication dialogue with a human. It is + not suitable for use in bulk password-cracking applications, or in + any other situation where speed is more important than careful + handling of sensitive data. However, it is intended to be fast and + lightweight enough for use in servers that must field thousands of + login attempts per minute. + +if LIBXCRYPT + +config LIBXCRYPT_OBSOLETE_STUBS + bool + prompt "Replace obsolete functions with non-functional stubs" + help + If enabled, this option replaces the obsolete APIs (fcrypt, + encrypt{,_r}, and setkey{,_r}) with stubs that set errno to + ENOSYS and return without performing any real operations. + + For security reasons, the encrypt{,r} functions will also + overwrite their data-block argument with random bits. + + The fcrypt function will also always return NULL-pointer. + +endif diff --git a/rules/libxcrypt.make b/rules/libxcrypt.make new file mode 100644 index 000000000..930d91e8b --- /dev/null +++ b/rules/libxcrypt.make @@ -0,0 +1,71 @@ +# -*-makefile-*- +# +# Copyright (C) 2019 by Bjoern Esser +# +# For further information about the PTXdist project and license conditions +# see the README file. +# + +# +# We provide this package +# +PACKAGES-$(PTXCONF_LIBXCRYPT) += libxcrypt + +# +# Paths and names +# +LIBXCRYPT_VERSION := 4.4.28 +LIBXCRYPT_MD5 := 0b873e641ae201e5e7470cf791c0fe16 +LIBXCRYPT := libxcrypt-$(LIBXCRYPT_VERSION) +LIBXCRYPT_SUFFIX := tar.xz +LIBXCRYPT_URL := https://github.com/besser82/libxcrypt/releases/download/v$(LIBXCRYPT_VERSION)/$(LIBXCRYPT).$(LIBXCRYPT_SUFFIX) +LIBXCRYPT_SOURCE := $(SRCDIR)/$(LIBXCRYPT).$(LIBXCRYPT_SUFFIX) +LIBXCRYPT_DIR := $(BUILDDIR)/$(LIBXCRYPT) +LIBXCRYPT_LICENSE := LGPL-2.1-or-later AND BSD-3-Clause AND BSD-2-Clause AND 0BSD AND public_domain +LIBXCRYPT_LICENSE_MD5 := file://LICENSING;md5=3bb6614cf5880cbf1b9dbd9e3d145e2c + +# ---------------------------------------------------------------------------- +# Prepare +# ---------------------------------------------------------------------------- + +# +# options +# + +# Hash methods enabled by default. +HASH_METHODS := glibc,strong + +# +# autoconf +# +LIBXCRYPT_CONF_TOOL := autoconf +LIBXCRYPT_CONF_OPT := \ + $(CROSS_AUTOCONF_USR) \ + --disable-failure-tokens \ + --disable-static \ + --disable-valgrind \ + --enable-obsolete-api \ + --enable-obsolete-api-enosys=$(call ptx/ifdef,PTXCONF_LIBXCRYPT_OBSOLETE_STUBS,yes,no) \ + --enable-hashes=$(HASH_METHODS) \ + --enable-xcrypt-compat-files + +# ---------------------------------------------------------------------------- +# Target-Install +# ---------------------------------------------------------------------------- + +$(STATEDIR)/libxcrypt.targetinstall: + @$(call targetinfo) + + @$(call install_init, libxcrypt) + @$(call install_fixup, libxcrypt,PRIORITY,optional) + @$(call install_fixup, libxcrypt,SECTION,base) + @$(call install_fixup, libxcrypt,AUTHOR,"Bjoern Esser ") + @$(call install_fixup, libxcrypt,DESCRIPTION,Extended crypt library) + + @$(call install_lib, libxcrypt, 0, 0, 0644, libcrypt) + + @$(call install_finish, libxcrypt) + + @$(call touch) + +# vim: syntax=make diff --git a/rules/uclibc.in b/rules/uclibc.in index 1fa99eba5..39d8ca3d7 100644 --- a/rules/uclibc.in +++ b/rules/uclibc.in @@ -26,7 +26,8 @@ config UCLIBC_C config UCLIBC_CRYPT bool - prompt "Install libcrypt" + prompt "Install libcrypt" if LIBC_CRYPT_NATIVE_CRYPT + default no if !LIBC_CRYPT_NATIVE_CRYPT help The encryption/decryption library -- 2.34.1