picnoir/glibc
1
0
Fork 0
Code Issues Pull requests Packages Projects Releases Wiki Activity

New configure option --disable-crypt.

Browse source 
Some Linux distributions are experimenting with a new, separately
maintained and hopefully more agile implementation of the crypt
API.  To facilitate this, add a configure option which disables
glibc's embedded libcrypt.  When this option is given, libcrypt.*
and crypt.h will not be built nor installed.
This commit is contained in:
Zack Weinberg 2018-06-29 16:53:47 +02:00 committed by Florian Weimer
parent 841785bad1
commit e69d994a63
12 changed files with 123 additions and 19 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

23
ChangeLog
View file

@ -1,3 +1,26 @@
2018-06-29 Zack Weinberg <zackw@panix.com>
* configure.ac: New command-line option --disable-crypt.
Force --disable-nss-crypt when --disable-crypt is given, with a
warning if it was explicitly enabled.
* configure: Regenerate.
* config.make.in: New boolean substitution variable $(build-crypt).
* Makeconfig: Only include 'crypt' in all-subdirs and rpath-dirs
when $(build-crypt).
* manual/install.texi: Document --disable-crypt.
* INSTALL: Regenerate.
* crypt/Makefile: Remove code conditional on $(crypt-in-libc),
which is never set.
* conform/Makefile: Only include libcrypt.a in
linknamespace-libs-xsi and linknamespace-libs-XPG4
when $(build-crypt).
* elf/Makefile (CFLAGS-tst-linkall-static.c): Only define
USE_CRYPT to 1 when $(build-crypt).
(tst-linkall-static): Only link libcrypt.a when $(build-crypt).
(localplt-built-dso): Only add libcrypt.so when $(build-crypt).
* elf/tst-linkall-static.c: Only include crypt.h when USE_CRYPT.
2018-06-29 Zack Weinberg <zackw@panix.com> 2018-06-29 Zack Weinberg <zackw@panix.com>
* crypt/crypt.h, posix/unistd.h: Update comments and * crypt/crypt.h, posix/unistd.h: Update comments and

11
INSTALL
View file

@ -197,6 +197,17 @@ if 'CFLAGS' is specified it must enable optimization. For example:
libnss_nisplus are not built at all. Use this option to enable libnss_nisplus are not built at all. Use this option to enable
libnsl with all depending NSS modules and header files. libnsl with all depending NSS modules and header files.
'--disable-crypt'
Do not install the passphrase-hashing library 'libcrypt' or the
header file 'crypt.h'. 'unistd.h' will still declare the function
'crypt'. Using this option does not change the set of programs
that may need to be linked with '-lcrypt'; it only means that the
GNU C Library will not provide that library.
This option is for hackers and distributions experimenting with
independently-maintained implementations of libcrypt. It may
become the default in a future release.
'--disable-experimental-malloc' '--disable-experimental-malloc'
By default, a per-thread cache is enabled in 'malloc'. While this By default, a per-thread cache is enabled in 'malloc'. While this
cache can be disabled on a per-application basis using tunables cache can be disabled on a per-application basis using tunables

9
Makeconfig
View file

@ -566,7 +566,7 @@ link-libc-printers-tests = $(link-libc-rpath) \
$(link-libc-tests-after-rpath-link) $(link-libc-tests-after-rpath-link)
# This is how to find at build-time things that will be installed there. # This is how to find at build-time things that will be installed there.
rpath-dirs = math elf dlfcn nss nis rt resolv crypt mathvec support rpath-dirs = math elf dlfcn nss nis rt resolv mathvec support
rpath-link = \ rpath-link = \
$(common-objdir):$(subst $(empty) ,:,$(patsubst ../$(subdir),.,$(rpath-dirs:%=$(common-objpfx)%))) $(common-objdir):$(subst $(empty) ,:,$(patsubst ../$(subdir),.,$(rpath-dirs:%=$(common-objpfx)%)))
else # build-static else # build-static
@ -1205,9 +1205,14 @@ all-subdirs = csu assert ctype locale intl catgets math setjmp signal \
stdlib stdio-common libio malloc string wcsmbs time dirent \ stdlib stdio-common libio malloc string wcsmbs time dirent \
grp pwd posix io termios resource misc socket sysvipc gmon \ grp pwd posix io termios resource misc socket sysvipc gmon \
gnulib iconv iconvdata wctype manual shadow gshadow po argp \ gnulib iconv iconvdata wctype manual shadow gshadow po argp \
crypt localedata timezone rt conform debug mathvec support \ localedata timezone rt conform debug mathvec support \
dlfcn elf dlfcn elf
ifeq ($(build-crypt),yes)
all-subdirs += crypt
rpath-dirs += crypt
endif
ifndef avoid-generated ifndef avoid-generated
# sysd-sorted itself will contain rules making the sysd-sorted target # sysd-sorted itself will contain rules making the sysd-sorted target
# depend on Depend files. But if you just added a Depend file to an # depend on Depend files. But if you just added a Depend file to an

12
NEWS
View file

@ -133,6 +133,18 @@ Deprecated and removed features, and other changes affecting compatibility:
binaries. It was just another name for the standard function crypt, binaries. It was just another name for the standard function crypt,
and it has not appeared in any header file in many years. and it has not appeared in any header file in many years.
* We have tentative plans to hand off maintenance of the passphrase-hashing
library, libcrypt, to a separate development project that will, we hope,
keep up better with new passphrase-hashing algorithms. We will continue
to declare 'crypt' in <unistd.h>, and programs that use 'crypt' or
'crypt_r' should not need to change at all; however, distributions will
need to install <crypt.h> and libcrypt from a separate project.
In this release, if the configure option --disable-crypt is used, glibc
will not install <crypt.h> or libcrypt, making room for the separate
project's versions of these files. The plan is to make this the default
behavior in a future release.
Changes to build and runtime requirements: Changes to build and runtime requirements:
[Add changes to build and runtime requirements here] [Add changes to build and runtime requirements here]

1
config.make.in
View file

@ -96,6 +96,7 @@ cross-compiling = @cross_compiling@
force-install = @force_install@ force-install = @force_install@
link-obsolete-rpc = @link_obsolete_rpc@ link-obsolete-rpc = @link_obsolete_rpc@
build-obsolete-nsl = @build_obsolete_nsl@ build-obsolete-nsl = @build_obsolete_nsl@
build-crypt = @build_crypt@
build-nscd = @build_nscd@ build-nscd = @build_nscd@
use-nscd = @use_nscd@ use-nscd = @use_nscd@
build-hardcoded-path-in-tests= @hardcoded_path_in_tests@ build-hardcoded-path-in-tests= @hardcoded_path_in_tests@

18
configure vendored
View file

@ -676,6 +676,7 @@ build_obsolete_nsl
link_obsolete_rpc link_obsolete_rpc
libc_cv_static_nss_crypt libc_cv_static_nss_crypt
libc_cv_nss_crypt libc_cv_nss_crypt
build_crypt
experimental_malloc experimental_malloc
enable_werror enable_werror
all_warnings all_warnings
@ -779,6 +780,7 @@ enable_all_warnings
enable_werror enable_werror
enable_multi_arch enable_multi_arch
enable_experimental_malloc enable_experimental_malloc
enable_crypt
enable_nss_crypt enable_nss_crypt
enable_obsolete_rpc enable_obsolete_rpc
enable_obsolete_nsl enable_obsolete_nsl
@ -1448,6 +1450,8 @@ Optional Features:
architectures architectures
--disable-experimental-malloc --disable-experimental-malloc
disable experimental malloc features disable experimental malloc features
--disable-crypt do not build nor install the passphrase hashing
library, libcrypt
--enable-nss-crypt enable libcrypt to use nss --enable-nss-crypt enable libcrypt to use nss
--enable-obsolete-rpc build and install the obsolete RPC code for --enable-obsolete-rpc build and install the obsolete RPC code for
link-time usage link-time usage
@ -3505,6 +3509,15 @@ fi
# Check whether --enable-crypt was given.
if test "${enable_crypt+set}" = set; then :
enableval=$enable_crypt; build_crypt=$enableval
else
build_crypt=yes
fi
# Check whether --enable-nss-crypt was given. # Check whether --enable-nss-crypt was given.
if test "${enable_nss_crypt+set}" = set; then : if test "${enable_nss_crypt+set}" = set; then :
enableval=$enable_nss_crypt; nss_crypt=$enableval enableval=$enable_nss_crypt; nss_crypt=$enableval
@ -3512,6 +3525,11 @@ else
nss_crypt=no nss_crypt=no
fi fi
if test x$build_libcrypt = xno && test x$nss_crypt = xyes; then
{ $as_echo "$as_me:${as_lineno-$LINENO}: WARNING: --enable-nss-crypt has no effect when libcrypt is disabled" >&5
$as_echo "$as_me: WARNING: --enable-nss-crypt has no effect when libcrypt is disabled" >&2;}
nss_crypt=no
fi
if test x$nss_crypt = xyes; then if test x$nss_crypt = xyes; then
nss_includes=-I$(nss-config --includedir 2>/dev/null) nss_includes=-I$(nss-config --includedir 2>/dev/null)
if test $? -ne 0; then if test $? -ne 0; then

11
configure.ac
View file

@ -302,11 +302,22 @@ AC_ARG_ENABLE([experimental-malloc],
[experimental_malloc=yes]) [experimental_malloc=yes])
AC_SUBST(experimental_malloc) AC_SUBST(experimental_malloc)
AC_ARG_ENABLE([crypt],
AC_HELP_STRING([--disable-crypt],
[do not build nor install the passphrase hashing library, libcrypt]),
[build_crypt=$enableval],
[build_crypt=yes])
AC_SUBST(build_crypt)
AC_ARG_ENABLE([nss-crypt], AC_ARG_ENABLE([nss-crypt],
AC_HELP_STRING([--enable-nss-crypt], AC_HELP_STRING([--enable-nss-crypt],
[enable libcrypt to use nss]), [enable libcrypt to use nss]),
[nss_crypt=$enableval], [nss_crypt=$enableval],
[nss_crypt=no]) [nss_crypt=no])
if test x$build_libcrypt = xno && test x$nss_crypt = xyes; then
AC_MSG_WARN([--enable-nss-crypt has no effect when libcrypt is disabled])
nss_crypt=no
fi
if test x$nss_crypt = xyes; then if test x$nss_crypt = xyes; then
nss_includes=-I$(nss-config --includedir 2>/dev/null) nss_includes=-I$(nss-config --includedir 2>/dev/null)
if test $? -ne 0; then if test $? -ne 0; then

11
conform/Makefile
View file

@ -193,13 +193,11 @@ linknamespace-libs-thr = $(linknamespace-libs-isoc) \
$(common-objpfx)rt/librt.a $(static-thread-library) $(common-objpfx)rt/librt.a $(static-thread-library)
linknamespace-libs-posix = $(linknamespace-libs-thr) \ linknamespace-libs-posix = $(linknamespace-libs-thr) \
$(common-objpfx)dlfcn/libdl.a $(common-objpfx)dlfcn/libdl.a
linknamespace-libs-xsi = $(linknamespace-libs-posix) \ linknamespace-libs-xsi = $(linknamespace-libs-posix)
$(common-objpfx)crypt/libcrypt.a
linknamespace-libs-ISO = $(linknamespace-libs-isoc) linknamespace-libs-ISO = $(linknamespace-libs-isoc)
linknamespace-libs-ISO99 = $(linknamespace-libs-isoc) linknamespace-libs-ISO99 = $(linknamespace-libs-isoc)
linknamespace-libs-ISO11 = $(linknamespace-libs-isoc) linknamespace-libs-ISO11 = $(linknamespace-libs-isoc)
linknamespace-libs-XPG4 = $(linknamespace-libs-isoc) \ linknamespace-libs-XPG4 = $(linknamespace-libs-isoc)
$(common-objpfx)crypt/libcrypt.a
linknamespace-libs-XPG42 = $(linknamespace-libs-XPG4) linknamespace-libs-XPG42 = $(linknamespace-libs-XPG4)
linknamespace-libs-POSIX = $(linknamespace-libs-thr) linknamespace-libs-POSIX = $(linknamespace-libs-thr)
linknamespace-libs-UNIX98 = $(linknamespace-libs-xsi) linknamespace-libs-UNIX98 = $(linknamespace-libs-xsi)
@ -209,6 +207,11 @@ linknamespace-libs-XOPEN2K8 = $(linknamespace-libs-xsi)
linknamespace-libs = $(foreach std,$(conformtest-standards),\ linknamespace-libs = $(foreach std,$(conformtest-standards),\
$(linknamespace-libs-$(std))) $(linknamespace-libs-$(std)))
ifeq ($(build-crypt),yes)
linknamespace-libs-xsi += $(common-objpfx)crypt/libcrypt.a
linknamespace-libs-XPG4 += $(common-objpfx)crypt/libcrypt.a
endif
$(linknamespace-symlist-stdlibs-tests): $(objpfx)symlist-stdlibs-%: \ $(linknamespace-symlist-stdlibs-tests): $(objpfx)symlist-stdlibs-%: \
$(linknamespace-libs) $(linknamespace-libs)
LC_ALL=C $(READELF) -W -s $(linknamespace-libs-$*) > $@; \ LC_ALL=C $(READELF) -W -s $(linknamespace-libs-$*) > $@; \

4
crypt/Makefile
View file

@ -32,10 +32,6 @@ libcrypt-routines := crypt-entry md5-crypt sha256-crypt sha512-crypt crypt \
tests := cert md5c-test sha256c-test sha512c-test badsalttest tests := cert md5c-test sha256c-test sha512c-test badsalttest
ifeq ($(crypt-in-libc),yes)
routines += $(libcrypt-routines)
endif
ifeq ($(nss-crypt),yes) ifeq ($(nss-crypt),yes)
nss-cpp-flags := -DUSE_NSS \ nss-cpp-flags := -DUSE_NSS \
-I$(shell nss-config --includedir) -I$(shell nspr-config --includedir) -I$(shell nss-config --includedir) -I$(shell nspr-config --includedir)

27
elf/Makefile
View file

@ -387,14 +387,21 @@ $(objpfx)tst-_dl_addr_inside_object: $(objpfx)dl-addr-obj.os
CFLAGS-tst-_dl_addr_inside_object.c += $(PIE-ccflag) CFLAGS-tst-_dl_addr_inside_object.c += $(PIE-ccflag)
endif endif
# By default tst-linkall-static should try to use crypt routines to test # We can only test static libcrypt use if libcrypt has been built,
# static libcrypt use. # and either NSS crypto is not in use, or static NSS libraries are
# available.
ifeq ($(build-crypt),no)
CFLAGS-tst-linkall-static.c += -DUSE_CRYPT=0
else
ifeq ($(nss-crypt),no)
CFLAGS-tst-linkall-static.c += -DUSE_CRYPT=1 CFLAGS-tst-linkall-static.c += -DUSE_CRYPT=1
# However, if we are using NSS crypto and we don't have a static else
# library, then we exclude the use of crypt functions in the test. ifeq ($(static-nss-crypt),no)
# We similarly exclude libcrypt.a from the static link (see below). CFLAGS-tst-linkall-static.c += -DUSE_CRYPT=0
ifeq (yesno,$(nss-crypt)$(static-nss-crypt)) else
CFLAGS-tst-linkall-static.c += -UUSE_CRYPT -DUSE_CRYPT=0 CFLAGS-tst-linkall-static.c += -DUSE_CRYPT=1
endif
endif
endif endif
include ../Rules include ../Rules
@ -1115,7 +1122,6 @@ localplt-built-dso := $(addprefix $(common-objpfx),\
rt/librt.so \ rt/librt.so \
dlfcn/libdl.so \ dlfcn/libdl.so \
resolv/libresolv.so \ resolv/libresolv.so \
crypt/libcrypt.so \
) )
ifeq ($(build-mathvec),yes) ifeq ($(build-mathvec),yes)
localplt-built-dso += $(addprefix $(common-objpfx), mathvec/libmvec.so) localplt-built-dso += $(addprefix $(common-objpfx), mathvec/libmvec.so)
@ -1123,6 +1129,9 @@ endif
ifeq ($(have-thread-library),yes) ifeq ($(have-thread-library),yes)
localplt-built-dso += $(filter-out %_nonshared.a, $(shared-thread-library)) localplt-built-dso += $(filter-out %_nonshared.a, $(shared-thread-library))
endif endif
ifeq ($(build-crypt),yes)
localplt-built-dso += $(addprefix $(common-objpfx), crypt/libcrypt.so)
endif
vpath localplt.data $(+sysdep_dirs) vpath localplt.data $(+sysdep_dirs)
@ -1410,6 +1419,7 @@ $(objpfx)tst-linkall-static: \
$(common-objpfx)resolv/libanl.a \ $(common-objpfx)resolv/libanl.a \
$(static-thread-library) $(static-thread-library)
ifeq ($(build-crypt),yes)
# If we are using NSS crypto and we have the ability to link statically # If we are using NSS crypto and we have the ability to link statically
# then we include libcrypt.a, otherwise we leave out libcrypt.a and # then we include libcrypt.a, otherwise we leave out libcrypt.a and
# link as much as we can into the tst-linkall-static test. This assumes # link as much as we can into the tst-linkall-static test. This assumes
@ -1425,6 +1435,7 @@ ifeq (no,$(nss-crypt))
$(objpfx)tst-linkall-static: \ $(objpfx)tst-linkall-static: \
$(common-objpfx)crypt/libcrypt.a $(common-objpfx)crypt/libcrypt.a
endif endif
endif
# The application depends on the DSO, and the DSO loads the plugin. # The application depends on the DSO, and the DSO loads the plugin.
# The plugin also depends on the DSO. This creates the circular # The plugin also depends on the DSO. This creates the circular

4
elf/tst-linkall-static.c
View file

@ -18,7 +18,9 @@
#include <math.h> #include <math.h>
#include <pthread.h> #include <pthread.h>
#include <crypt.h> #if USE_CRYPT
# include <crypt.h>
#endif
#include <resolv.h> #include <resolv.h>
#include <dlfcn.h> #include <dlfcn.h>
#include <utmp.h> #include <utmp.h>

11
manual/install.texi
View file

@ -230,6 +230,17 @@ libnss_nisplus are not built at all.
Use this option to enable libnsl with all depending NSS modules and Use this option to enable libnsl with all depending NSS modules and
header files. header files.
@item --disable-crypt
Do not install the passphrase-hashing library @file{libcrypt} or the
header file @file{crypt.h}. @file{unistd.h} will still declare the
function @code{crypt}. Using this option does not change the set of
programs that may need to be linked with @option{-lcrypt}; it only
means that @theglibc{} will not provide that library.
This option is for hackers and distributions experimenting with
independently-maintained implementations of libcrypt. It may become
the default in a future release.
@item --disable-experimental-malloc @item --disable-experimental-malloc
By default, a per-thread cache is enabled in @code{malloc}. While By default, a per-thread cache is enabled in @code{malloc}. While
this cache can be disabled on a per-application basis using tunables this cache can be disabled on a per-application basis using tunables