From 7ad97baa4ffc5c37461ccee0d0cc48e5f183a398 Mon Sep 17 00:00:00 2001 From: Florian Weimer Date: Fri, 22 Jul 2016 17:06:37 +0200 Subject: [PATCH] Resolves: #1324623 Provide libcrypt and libcrypt-nss subpackages. glibc has a Recommends: to prefer the NSS-based implementation. glibc-devel requires that one of the two packages is installed. --- glibc-rh1324623.patch | 104 ++++++++++++++++++++++++++++++++++++++ glibc.spec | 113 +++++++++++++++++++++++++++++++++++++++++- 2 files changed, 216 insertions(+), 1 deletion(-) create mode 100644 glibc-rh1324623.patch diff --git a/glibc-rh1324623.patch b/glibc-rh1324623.patch new file mode 100644 index 0000000..3c87463 --- /dev/null +++ b/glibc-rh1324623.patch @@ -0,0 +1,104 @@ +This patch creates a crypt-glibc subdirectory which builds the +libgcrypt files, but this time against the glibc sources. + +The default subdirs list does not include this subdirectory because +the file names conflict with the crypt directory. The spec file does +not use the install target to install the built libcrypt.so file, +either. + +Index: b/crypt-glibc/Makefile +=================================================================== +--- /dev/null ++++ b/crypt-glibc/Makefile +@@ -0,0 +1,51 @@ ++# Build libcrypt against internal cryptographic algorithms. ++# Copyright (C) 1996-2016 Free Software Foundation, Inc. ++# This file is part of the GNU C Library. ++ ++# The GNU C Library is free software; you can redistribute it and/or ++# modify it under the terms of the GNU Lesser General Public ++# License as published by the Free Software Foundation; either ++# version 2.1 of the License, or (at your option) any later version. ++ ++# The GNU C Library is distributed in the hope that it will be useful, ++# but WITHOUT ANY WARRANTY; without even the implied warranty of ++# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU ++# Lesser General Public License for more details. ++ ++# You should have received a copy of the GNU Lesser General Public ++# License along with the GNU C Library; if not, see ++# . ++ ++# ++# Sub-makefile for crypt() portion of the library. ++# ++subdir := crypt-glibc ++ ++include ../Makeconfig ++ ++extra-libs := libcrypt ++extra-libs-others := $(extra-libs) ++ ++# Use the sources in the crypt subdirectory. ++vpath %.c ../crypt ++ ++libcrypt-routines := \ ++ crypt-entry md5-crypt sha256-crypt sha512-crypt crypt crypt_util ++ ++tests := cert md5c-test sha256c-test sha512c-test badsalttest ++ ++libcrypt-routines += md5 sha256 sha512 ++ ++tests += md5test sha256test sha512test ++ ++# The test md5test-giant uses up to 400 MB of RSS and runs on a fast ++# machine over a minute. ++xtests = md5test-giant ++ ++include ../Rules ++ ++ifeq (yes,$(build-shared)) ++$(addprefix $(objpfx),$(tests)): $(objpfx)libcrypt.so ++else ++$(addprefix $(objpfx),$(tests)): $(objpfx)libcrypt.a ++endif +Index: b/crypt/md5.c +=================================================================== +--- a/crypt/md5.c ++++ b/crypt/md5.c +@@ -270,4 +270,4 @@ md5_process_bytes (const void *buffer, s + } + } + +-#include ++#include "md5-block.c" +Index: b/crypt/sha256.c +=================================================================== +--- a/crypt/sha256.c ++++ b/crypt/sha256.c +@@ -212,4 +212,4 @@ __sha256_process_bytes (const void *buff + } + } + +-#include ++#include "sha256-block.c" +Index: b/crypt/sha512.c +=================================================================== +--- a/crypt/sha512.c ++++ b/crypt/sha512.c +@@ -235,4 +235,4 @@ __sha512_process_bytes (const void *buff + } + } + +-#include ++#include "sha512-block.c" +Index: b/crypt-glibc/Versions +=================================================================== +--- /dev/null ++++ b/crypt-glibc/Versions +@@ -0,0 +1,5 @@ ++libcrypt { ++ GLIBC_2.0 { ++ crypt; crypt_r; encrypt; encrypt_r; fcrypt; setkey; setkey_r; ++ } ++} diff --git a/glibc.spec b/glibc.spec index 388638d..54479bf 100644 --- a/glibc.spec +++ b/glibc.spec @@ -259,6 +259,9 @@ Patch0058: glibc-bug-regex-gcc5.patch # Add C.UTF-8 locale into /usr/lib/locale/ Patch0059: glibc-c-utf8-locale.patch +# Build libcrypt twice, with and without NSS. +Patch0060: glibc-rh1324623.patch + ############################################################################## # # Patches from upstream @@ -327,6 +330,11 @@ Provides: ld-linux.so.3(GLIBC_2.4) Requires: glibc-common = %{version}-%{release} +%if %{without bootstrap} +# Use the NSS-based cryptographic libraries by default. +Recommends: libcrypt-nss%{_isa} +%endif + Requires(pre): basesystem # This is for building auxiliary programs like memusage, nscd @@ -471,6 +479,48 @@ library binaries that will be selected instead when running under Xen. Install glibc-xen if you might run your system under the Xen hypervisor. %endif +###################################################################### +# crypt subpackages +###################################################################### + +%package -n libcrypt +Summary: Password hashing library (non-NSS version) +Group: System Environment/Libraries +Requires: %{name}%{_isa} = %{version}-%{release} +Provides: libcrypt%{_isa} +Conflicts: libcrypt-nss + +%description -n libcrypt +This package provides the crypt function, which implements password +hashing. The glibc implementation of the cryptographic algorithms is +used by this package. + +%post -n libcrypt +/sbin/ldconfig + +%postun -n libcrypt +/sbin/ldconfig + +%if %{without bootstrap} +%package -n libcrypt-nss +Summary: Password hashing library (NSS version) +Group: System Environment/Libraries +Requires: %{name}%{_isa} = %{version}-%{release} +Provides: libcrypt%{_isa} +Conflicts: libcrypt + +%description -n libcrypt-nss +This package provides the crypt function, which implements password +hashing. The cryptographic algorithm implementations are provided by +the low-level NSS libraries. + +%post -n libcrypt-nss +/sbin/ldconfig + +%postun -n libcrypt-nss +/sbin/ldconfig +%endif + ############################################################################## # glibc "devel" sub-package ############################################################################## @@ -482,6 +532,7 @@ Requires(pre): %{name}-headers Requires: %{name}-headers = %{version}-%{release} Requires: %{name} = %{version}-%{release} Requires: libgcc%{_isa} +Requires: libcrypt%{_isa} %description devel The glibc-devel package contains the object files necessary @@ -825,6 +876,7 @@ microbenchmark tests on the system. %patch0057 -p1 %patch0058 -p1 %patch0059 -p1 +%patch0060 -p1 %patch2036 -p1 %patch2037 -p1 %patch2038 -p1 @@ -1056,6 +1108,12 @@ build nosegneg -mno-tls-direct-seg-refs ) %endif +# Build libcrypt with glibc cryptographic implementations. +%if %{without bootstrap} +make %{?_smpflags} -C build-%{target} subdirs=crypt-glibc \ + CFLAGS="$build_CFLAGS" %{silentrules} +%endif + ############################################################################## # Build the glibc post-upgrade program: # We only build one of these with the default set of options. This program @@ -1149,6 +1207,31 @@ install_different() done } +############################################################################# +# Install libcrypt +############################################################################# + +%if %{without bootstrap} +# Move the NSS-based implementation out of the way. +libcrypt_found=false +for libcrypt in ${RPM_BUILD_ROOT}/%{_lib}/libcrypt-*.so ; do + if $libcrypt_found; then + # Multiple libcrypt files + ls -l ${RPM_BUILD_ROOT}/%{_lib}/libcrypt-*.so + exit 1 + fi + mv "$libcrypt" "$(echo "$libcrypt" | sed s/libcrypt-/libcrypt-nss-/)" +done + +# Install the non-NSS implementation in the original path. +install -m 755 build-%{target}/crypt-glibc/libcrypt.so "$libcrypt" + +unset libcrypt libcrypt_found +%endif + +# This symbolic link will be generated by ldconfig. +rm -f ${RPM_BUILD_ROOT}/%{_lib}/libcrypt.so.1 + ############################################################################## # Install the xen build files. ############################################################################## @@ -1366,6 +1449,8 @@ rm -f $RPM_BUILD_ROOT%{_prefix}/lib/debug%{_libdir}/*_p.a # - Contains the list of files for the static subpackage. # * nosegneg.filelist # - Contains the list of files for the xen subpackage. +# * libcrypt.filelist, libcrypt-nss.filelist +# - Contains the list of files for the crypt-related subpackages # * nss_db.filelist, nss_nis.filelist, nss_hesiod.filelist # - File lists for nss_* NSS module subpackages. # * nss-devel.filelist @@ -1551,6 +1636,14 @@ sed -i -e '\,/libnss_.*\.so[0-9.]*$,d' \ # Restore the built-in NSS modules. cat nss_files.filelist nss_dns.filelist >> rpm.filelist +# Prepare the libcrypt-related file lists. +grep '/libcrypt-[0-9.]*.so$' rpm.filelist > libcrypt.filelist +test $(wc -l < libcrypt.filelist) -eq 1 +%if %{without bootstrap} +sed s/libcrypt/libcrypt-nss/ < libcrypt.filelist > libcrypt-nss.filelist +%endif +sed -i -e '\,/libcrypt,d' rpm.filelist + # Remove the zoneinfo files # XXX: Why isn't this don't earlier when we are removing files? # Won't this impact what is shipped? @@ -1676,6 +1769,10 @@ find_debuginfo_args="$find_debuginfo_args \ -p '.*/(sbin|libexec)/.*' \ -o debuginfocommon.filelist \ -l nss_db.filelist -l nss_nis.filelist -l nss_hesiod.filelist \ + -l libcrypt.filelist \ +%if %{without bootstrap} + -l libcrypt-nss.filelist \ +%endif -l rpm.filelist \ %if %{with benchtests} -l nosegneg.filelist -l benchtests.filelist" @@ -1857,6 +1954,10 @@ run_tests () { echo ------------------------- done fi + + # If the crypt-glibc test suite fails, something is completely + # broken, so fail the build in this case. + make %{?_smp_mflags} subdirs=crypt-glibc check %{silentrules} } # Increase timeouts @@ -2084,7 +2185,8 @@ rm -f *.filelist* %{_prefix}/lib/locale/C.utf8/* %dir %attr(755,root,root) /etc/default %verify(not md5 size mtime) %config(noreplace) /etc/default/nss -%doc documentation/* +%doc documentation/README.timezone +%doc documentation/gai.conf %files all-langpacks %attr(0644,root,root) %verify(not md5 size mtime) %{_prefix}/lib/locale/locale-archive.tmpl @@ -2137,6 +2239,14 @@ rm -f *.filelist* %doc hesiod/README.hesiod %files -f nss-devel.filelist nss-devel +%files -f libcrypt.filelist -n libcrypt +%doc documentation/README.ufc-crypt +%ghost /%{_lib}/libcrypt.so.1 +%if %{without bootstrap} +%files -f libcrypt-nss.filelist -n libcrypt-nss +%ghost /%{_lib}/libcrypt.so.1 +%endif + %if 0%{?_enable_debug_packages} %files debuginfo -f debuginfo.filelist %defattr(-,root,root) @@ -2158,6 +2268,7 @@ rm -f *.filelist* - Drop sendmsg/recvmsg compatibility patch (#1344830) - glibc-devel depends on libgcc%%{_isa} (#1289356) - Drop Requires(pre) on libgcc +- Introduce libcrypt and libcrypt-nss (#1324623) * Wed Jul 20 2016 Florian Weimer - 2.23.90-29 - Move NSS modules to subpackages (#1338889)