Thanks, applied as a7d876d7f095a2ba80a7ccc24eb7ce9690ed0792. Michael
[sent from post-receive hook] On Fri, 10 Nov 2023 08:25:26 +0100, Andreas Helmcke <[email protected]> wrote: > Also implement the needed logic to (optionally) replace > the libcrypt from the selected libc with libxcrypt. > > libxcrypt is a modern library for one-way hashing of passwords. > It supports a wide variety of both modern and historical hashing > methods: yescrypt, gost-yescrypt, scrypt, bcrypt, sha512crypt, > sha256crypt, md5crypt, SunMD5, sha1crypt, NT, bsdicrypt, bigcrypt, > and descrypt. It provides the traditional Unix crypt and crypt_r > interfaces, as well as a set of extended interfaces pioneered by > Openwall Linux, crypt_rn, crypt_ra, crypt_gensalt, crypt_gensalt_rn, > and crypt_gensalt_ra. > > libxcrypt is intended to be used by login(1), passwd(1), and other > similar programs; that is, to hash a small number of passwords > during an interactive authentication dialogue with a human. It is > not suitable for use in bulk password-cracking applications, or in > any other situation where speed is more important than careful > handling of sensitive data. However, it is intended to be fast and > lightweight enough for use in servers that must field thousands of > login attempts per minute. > > Co-authored-by: Björn Esser <[email protected]> > Signed-off-by: Björn Esser <[email protected]> > Signed-off-by: Andreas Helmcke <[email protected]> > Message-Id: <[email protected]> > [mol: only use it with glibc and add dependencies] > Signed-off-by: Michael Olbrich <[email protected]> > > diff --git a/rules/glibc.in b/rules/glibc.in > index 2bcaa8893e64..03847b2be916 100644 > --- a/rules/glibc.in > +++ b/rules/glibc.in > @@ -28,6 +28,13 @@ config GLIBC_2_34 > libraries can still be selected explicitly here if necessary. > For example if legacy binaries link to such a library. > > +config GLIBC_2_38 > + bool > + prompt "glibc-2.38 or later" > + help > + In glibc-2.38 libcrypt was deprecated and removed afterwards. > + So libxcrypt is needed to provide the libcrypt implmentation. > + > config GLIBC_LD > bool > help > @@ -99,6 +106,7 @@ config GLIBC_DL > > config GLIBC_CRYPT > bool > + depends on !GLIBC_2_38 > prompt "Install libcrypt" > help > The encryption/decryption library > diff --git a/rules/libc.in b/rules/libc.in > index f7d1d2be6c17..34cf9900b714 100644 > --- a/rules/libc.in > +++ b/rules/libc.in > @@ -59,7 +59,10 @@ config LIBC_DL > > config LIBC_CRYPT > bool > - select GLIBC_CRYPT if LIBC_GLIBC > + select GLIBC_CRYPT if LIBC_GLIBC && !GLIBC_2_38 > + select LIBXCRYPT if LIBC_GLIBC && GLIBC_2_38 > + # use virtual here to propagate the dependency > + select VIRTUAL if LIBC_GLIBC && GLIBC_2_38 > select UCLIBC_CRYPT if LIBC_UCLIBC > > config LIBC_UTIL > diff --git a/rules/libxcrypt.in b/rules/libxcrypt.in > new file mode 100644 > index 000000000000..01f9dd4b15b0 > --- /dev/null > +++ b/rules/libxcrypt.in > @@ -0,0 +1,42 @@ > +## SECTION=system_libraries > + > +menuconfig LIBXCRYPT > + bool > + prompt "libxcrypt " > + help > + Extended crypt library for descrypt, md5crypt, bcrypt, and others. > + > + libxcrypt is a modern library for one-way hashing of passwords. > + It supports a wide variety of both modern and historical hashing > + methods: yescrypt, gost-yescrypt, scrypt, bcrypt, sha512crypt, > + sha256crypt, md5crypt, SunMD5, sha1crypt, NT, bsdicrypt, bigcrypt, > + and descrypt. It provides the traditional Unix crypt and crypt_r > + interfaces, as well as a set of extended interfaces pioneered by > + Openwall Linux, crypt_rn, crypt_ra, crypt_gensalt, > + crypt_gensalt_rn, and crypt_gensalt_ra. > + > + libxcrypt is intended to be used by login(1), passwd(1), and other > + similar programs; that is, to hash a small number of passwords > + during an interactive authentication dialogue with a human. It is > + not suitable for use in bulk password-cracking applications, or in > + any other situation where speed is more important than careful > + handling of sensitive data. However, it is intended to be fast and > + lightweight enough for use in servers that must field thousands of > + login attempts per minute. > + > +if LIBXCRYPT > + > +config LIBXCRYPT_OBSOLETE_STUBS > + bool > + prompt "Replace obsolete functions with non-functional stubs" > + help > + If enabled, this option replaces the obsolete APIs (fcrypt, > + encrypt{,_r}, and setkey{,_r}) with stubs that set errno to > + ENOSYS and return without performing any real operations. > + > + For security reasons, the encrypt{,r} functions will also > + overwrite their data-block argument with random bits. > + > + The fcrypt function will also always return NULL-pointer. > + > +endif > diff --git a/rules/libxcrypt.make b/rules/libxcrypt.make > new file mode 100644 > index 000000000000..e048968d0cc4 > --- /dev/null > +++ b/rules/libxcrypt.make > @@ -0,0 +1,71 @@ > +# -*-makefile-*- > +# > +# Copyright (C) 2019 by Bjoern Esser <[email protected]> > +# > +# For further information about the PTXdist project and license conditions > +# see the README file. > +# > + > +# > +# We provide this package > +# > +PACKAGES-$(PTXCONF_LIBXCRYPT) += libxcrypt > + > +# > +# Paths and names > +# > +LIBXCRYPT_VERSION := 4.4.36 > +LIBXCRYPT_MD5 := b84cd4104e08c975063ec6c4d0372446 > +LIBXCRYPT := libxcrypt-$(LIBXCRYPT_VERSION) > +LIBXCRYPT_SUFFIX := tar.xz > +LIBXCRYPT_URL := > https://github.com/besser82/libxcrypt/releases/download/v$(LIBXCRYPT_VERSION)/$(LIBXCRYPT).$(LIBXCRYPT_SUFFIX) > +LIBXCRYPT_SOURCE := $(SRCDIR)/$(LIBXCRYPT).$(LIBXCRYPT_SUFFIX) > +LIBXCRYPT_DIR := $(BUILDDIR)/$(LIBXCRYPT) > +LIBXCRYPT_LICENSE := LGPL-2.1-or-later AND BSD-3-Clause AND BSD-2-Clause > AND 0BSD AND public_domain > +LIBXCRYPT_LICENSE_MD5 := > file://LICENSING;md5=3bb6614cf5880cbf1b9dbd9e3d145e2c > + > +# > ---------------------------------------------------------------------------- > +# Prepare > +# > ---------------------------------------------------------------------------- > + > +# > +# options > +# > + > +# Hash methods enabled by default. > +HASH_METHODS := glibc,strong > + > +# > +# autoconf > +# > +LIBXCRYPT_CONF_TOOL := autoconf > +LIBXCRYPT_CONF_OPT := \ > + $(CROSS_AUTOCONF_USR) \ > + --disable-failure-tokens \ > + --disable-static \ > + --disable-valgrind \ > + --enable-obsolete-api \ > + --enable-obsolete-api-enosys=$(call > ptx/ifdef,PTXCONF_LIBXCRYPT_OBSOLETE_STUBS,yes,no) \ > + --enable-hashes=$(HASH_METHODS) \ > + --enable-xcrypt-compat-files > + > +# > ---------------------------------------------------------------------------- > +# Target-Install > +# > ---------------------------------------------------------------------------- > + > +$(STATEDIR)/libxcrypt.targetinstall: > + @$(call targetinfo) > + > + @$(call install_init, libxcrypt) > + @$(call install_fixup, libxcrypt,PRIORITY,optional) > + @$(call install_fixup, libxcrypt,SECTION,base) > + @$(call install_fixup, libxcrypt,AUTHOR,"Bjoern Esser > <[email protected]>") > + @$(call install_fixup, libxcrypt,DESCRIPTION,Extended crypt library) > + > + @$(call install_lib, libxcrypt, 0, 0, 0644, libcrypt) > + > + @$(call install_finish, libxcrypt) > + > + @$(call touch) > + > +# vim: syntax=make
