@@ -197,6 +197,17 @@ if 'CFLAGS' is specified it must enable optimization. For example:
libnss_nisplus are not built at all. Use this option to enable
libnsl with all depending NSS modules and header files.
+'--disable-crypt'
+ Do not install the password-hashing library 'libcrypt' or the
+ header file 'crypt.h'. 'unistd.h' will still declare the function
+ 'crypt', as required by POSIX. Using this option does not change
+ the set of programs that may need to be linked with '-lcrypt'; it
+ only means that the GNU C Library will not provide that library.
+
+ This option is for hackers and distributions experimenting with
+ independently-maintained implementations of libcrypt. It may
+ become the default in a future release.
+
'--disable-experimental-malloc'
By default, a per-thread cache is enabled in 'malloc'. While this
cache can be disabled on a per-application basis using tunables
@@ -566,7 +566,7 @@ link-libc-printers-tests = $(link-libc-rpath) \
$(link-libc-tests-after-rpath-link)
# This is how to find at build-time things that will be installed there.
-rpath-dirs = math elf dlfcn nss nis rt resolv crypt mathvec support
+rpath-dirs = math elf dlfcn nss nis rt resolv mathvec support
rpath-link = \
$(common-objdir):$(subst $(empty) ,:,$(patsubst ../$(subdir),.,$(rpath-dirs:%=$(common-objpfx)%)))
else # build-static
@@ -1205,9 +1205,14 @@ all-subdirs = csu assert ctype locale intl catgets math setjmp signal \
stdlib stdio-common libio malloc string wcsmbs time dirent \
grp pwd posix io termios resource misc socket sysvipc gmon \
gnulib iconv iconvdata wctype manual shadow gshadow po argp \
- crypt localedata timezone rt conform debug mathvec support \
+ localedata timezone rt conform debug mathvec support \
dlfcn elf
+ifeq ($(build-crypt),yes)
+all-subdirs += crypt
+rpath-dirs += crypt
+endif
+
ifndef avoid-generated
# sysd-sorted itself will contain rules making the sysd-sorted target
# depend on Depend files. But if you just added a Depend file to an
@@ -67,6 +67,18 @@ Deprecated and removed features, and other changes affecting compatibility:
encrypt and setkey are not thread-safe. Software that still uses these
functions should switch to a modern cryptography library, such as GnuTLS.
+* We have tentative plans to deprecate glibc's implementation of the
+ password-hashing functions 'crypt' and 'crypt_r'. We will continue
+ to declare crypt in <unistd.h>, as required by POSIX, and programs
+ that use crypt or crypt_r should not need to change at all. However,
+ the header file <crypt.h> and library libcrypt.{a,so} will come from
+ a separate development project that will, we hope, keep up better with
+ new password-hashing algorithms.
+
+ In this release, if the configure option --disable-crypt is used,
+ glibc will not install <crypt.h> or libcrypt. The plan is to make
+ this the default behavior in a future release.
+
Changes to build and runtime requirements:
[Add changes to build and runtime requirements here]
@@ -96,6 +96,7 @@ cross-compiling = @cross_compiling@
force-install = @force_install@
link-obsolete-rpc = @link_obsolete_rpc@
build-obsolete-nsl = @build_obsolete_nsl@
+build-crypt = @build_crypt@
build-nscd = @build_nscd@
use-nscd = @use_nscd@
build-hardcoded-path-in-tests= @hardcoded_path_in_tests@
@@ -676,6 +676,7 @@ build_obsolete_nsl
link_obsolete_rpc
libc_cv_static_nss_crypt
libc_cv_nss_crypt
+build_crypt
experimental_malloc
enable_werror
all_warnings
@@ -779,6 +780,7 @@ enable_all_warnings
enable_werror
enable_multi_arch
enable_experimental_malloc
+enable_crypt
enable_nss_crypt
enable_obsolete_rpc
enable_obsolete_nsl
@@ -1448,6 +1450,8 @@ Optional Features:
architectures
--disable-experimental-malloc
disable experimental malloc features
+ --disable-crypt do not build nor install the password hashing
+ library, libcrypt
--enable-nss-crypt enable libcrypt to use nss
--enable-obsolete-rpc build and install the obsolete RPC code for
link-time usage
@@ -3505,6 +3509,15 @@ fi
+# Check whether --enable-crypt was given.
+if test "${enable_crypt+set}" = set; then :
+ enableval=$enable_crypt; build_crypt=$enableval
+else
+ build_crypt=yes
+fi
+
+
+
# Check whether --enable-nss-crypt was given.
if test "${enable_nss_crypt+set}" = set; then :
enableval=$enable_nss_crypt; nss_crypt=$enableval
@@ -3512,6 +3525,11 @@ else
nss_crypt=no
fi
+if test x$build_libcrypt = xno && test x$nss_crypt = xyes; then
+ { $as_echo "$as_me:${as_lineno-$LINENO}: WARNING: --enable-nss-crypt has no effect when libcrypt is disabled" >&5
+$as_echo "$as_me: WARNING: --enable-nss-crypt has no effect when libcrypt is disabled" >&2;}
+ nss_crypt=no
+fi
if test x$nss_crypt = xyes; then
nss_includes=-I$(nss-config --includedir 2>/dev/null)
if test $? -ne 0; then
@@ -302,11 +302,22 @@ AC_ARG_ENABLE([experimental-malloc],
[experimental_malloc=yes])
AC_SUBST(experimental_malloc)
+AC_ARG_ENABLE([crypt],
+ AC_HELP_STRING([--disable-crypt],
+ [do not build nor install the password hashing library, libcrypt]),
+ [build_crypt=$enableval],
+ [build_crypt=yes])
+AC_SUBST(build_crypt)
+
AC_ARG_ENABLE([nss-crypt],
AC_HELP_STRING([--enable-nss-crypt],
[enable libcrypt to use nss]),
[nss_crypt=$enableval],
[nss_crypt=no])
+if test x$build_libcrypt = xno && test x$nss_crypt = xyes; then
+ AC_MSG_WARN([--enable-nss-crypt has no effect when libcrypt is disabled])
+ nss_crypt=no
+fi
if test x$nss_crypt = xyes; then
nss_includes=-I$(nss-config --includedir 2>/dev/null)
if test $? -ne 0; then
@@ -193,13 +193,11 @@ linknamespace-libs-thr = $(linknamespace-libs-isoc) \
$(common-objpfx)rt/librt.a $(static-thread-library)
linknamespace-libs-posix = $(linknamespace-libs-thr) \
$(common-objpfx)dlfcn/libdl.a
-linknamespace-libs-xsi = $(linknamespace-libs-posix) \
- $(common-objpfx)crypt/libcrypt.a
+linknamespace-libs-xsi = $(linknamespace-libs-posix)
linknamespace-libs-ISO = $(linknamespace-libs-isoc)
linknamespace-libs-ISO99 = $(linknamespace-libs-isoc)
linknamespace-libs-ISO11 = $(linknamespace-libs-isoc)
-linknamespace-libs-XPG4 = $(linknamespace-libs-isoc) \
- $(common-objpfx)crypt/libcrypt.a
+linknamespace-libs-XPG4 = $(linknamespace-libs-isoc)
linknamespace-libs-XPG42 = $(linknamespace-libs-XPG4)
linknamespace-libs-POSIX = $(linknamespace-libs-thr)
linknamespace-libs-UNIX98 = $(linknamespace-libs-xsi)
@@ -209,6 +207,11 @@ linknamespace-libs-XOPEN2K8 = $(linknamespace-libs-xsi)
linknamespace-libs = $(foreach std,$(conformtest-standards),\
$(linknamespace-libs-$(std)))
+ifeq ($(build-crypt),yes)
+linknamespace-libs-xsi += $(common-objpfx)crypt/libcrypt.a
+linknamespace-libs-XPG4 += $(common-objpfx)crypt/libcrypt.a
+endif
+
$(linknamespace-symlist-stdlibs-tests): $(objpfx)symlist-stdlibs-%: \
$(linknamespace-libs)
LC_ALL=C $(READELF) -W -s $(linknamespace-libs-$*) > $@; \
@@ -35,10 +35,6 @@ tests := cert md5c-test sha256c-test sha512c-test badsalttest
# cert.c tests the deprecated setkey/encrypt interface
CFLAGS-cert.c = -Wno-deprecated-declarations
-ifeq ($(crypt-in-libc),yes)
-routines += $(libcrypt-routines)
-endif
-
ifeq ($(nss-crypt),yes)
nss-cpp-flags := -DUSE_NSS \
-I$(shell nss-config --includedir) -I$(shell nspr-config --includedir)
@@ -28,7 +28,10 @@
__BEGIN_DECLS
-/* Encrypt at most 8 characters from KEY using salt to perturb DES. */
+/* Hash a password, KEY, for storage in /etc/shadow. SALT selects the
+ hashing algorithm to be used, and ensures that no two users' passwords
+ are hashed to the same string. The return value points to static
+ storage which will be overwritten by the next call to crypt. */
extern char *crypt (const char *__key, const char *__salt)
__THROW __nonnull ((1, 2));
@@ -385,14 +385,21 @@ $(objpfx)tst-_dl_addr_inside_object: $(objpfx)dl-addr-obj.os
CFLAGS-tst-_dl_addr_inside_object.c += $(PIE-ccflag)
endif
-# By default tst-linkall-static should try to use crypt routines to test
-# static libcrypt use.
+# We can only test static libcrypt use if libcrypt has been built,
+# and either NSS crypto is not in use, or static NSS libraries are
+# available.
+ifeq ($(build-crypt),no)
+CFLAGS-tst-linkall-static.c += -DUSE_CRYPT=0
+else
+ifeq ($(nss-crypt),no)
+CFLAGS-tst-linkall-static.c += -DUSE_CRYPT=1
+else
+ifeq ($(static-nss-crypt),no)
+CFLAGS-tst-linkall-static.c += -DUSE_CRYPT=0
+else
CFLAGS-tst-linkall-static.c += -DUSE_CRYPT=1
-# However, if we are using NSS crypto and we don't have a static
-# library, then we exclude the use of crypt functions in the test.
-# We similarly exclude libcrypt.a from the static link (see below).
-ifeq (yesno,$(nss-crypt)$(static-nss-crypt))
-CFLAGS-tst-linkall-static.c += -UUSE_CRYPT -DUSE_CRYPT=0
+endif
+endif
endif
include ../Rules
@@ -1113,7 +1120,6 @@ localplt-built-dso := $(addprefix $(common-objpfx),\
rt/librt.so \
dlfcn/libdl.so \
resolv/libresolv.so \
- crypt/libcrypt.so \
)
ifeq ($(build-mathvec),yes)
localplt-built-dso += $(addprefix $(common-objpfx), mathvec/libmvec.so)
@@ -1121,6 +1127,9 @@ endif
ifeq ($(have-thread-library),yes)
localplt-built-dso += $(filter-out %_nonshared.a, $(shared-thread-library))
endif
+ifeq ($(build-crypt),yes)
+localplt-built-dso += $(addprefix $(common-objpfx), crypt/libcrypt.so)
+endif
vpath localplt.data $(+sysdep_dirs)
@@ -1395,6 +1404,7 @@ $(objpfx)tst-linkall-static: \
$(common-objpfx)resolv/libanl.a \
$(static-thread-library)
+ifeq ($(build-crypt),yes)
# If we are using NSS crypto and we have the ability to link statically
# then we include libcrypt.a, otherwise we leave out libcrypt.a and
# link as much as we can into the tst-linkall-static test. This assumes
@@ -1410,6 +1420,7 @@ ifeq (no,$(nss-crypt))
$(objpfx)tst-linkall-static: \
$(common-objpfx)crypt/libcrypt.a
endif
+endif
# The application depends on the DSO, and the DSO loads the plugin.
# The plugin also depends on the DSO. This creates the circular
@@ -18,7 +18,9 @@
#include <math.h>
#include <pthread.h>
-#include <crypt.h>
+#if USE_CRYPT
+# include <crypt.h>
+#endif
#include <resolv.h>
#include <dlfcn.h>
#include <utmp.h>
@@ -230,6 +230,18 @@ libnss_nisplus are not built at all.
Use this option to enable libnsl with all depending NSS modules and
header files.
+@item --disable-crypt
+Do not install the password-hashing library @file{libcrypt} or the
+header file @file{crypt.h}. @file{unistd.h} will still declare the
+function @code{crypt}, as required by POSIX. Using this option does
+not change the set of programs that may need to be linked with
+@option{-lcrypt}; it only means that @theglibc{} will not provide that
+library.
+
+This option is for hackers and distributions experimenting with
+independently-maintained implementations of libcrypt. It may become
+the default in a future release.
+
@item --disable-experimental-malloc
By default, a per-thread cache is enabled in @code{malloc}. While
this cache can be disabled on a per-application basis using tunables
@@ -1119,10 +1119,11 @@ extern int fdatasync (int __fildes);
#endif /* Use POSIX199309 */
-/* XPG4.2 specifies that prototypes for the encryption functions must
- be defined here. */
#ifdef __USE_XOPEN
-/* Encrypt at most 8 characters from KEY using salt to perturb DES. */
+/* Hash a password, KEY, for storage in /etc/shadow. SALT selects the
+ hashing algorithm to be used, and ensures that no two users' passwords
+ are hashed to the same string. The return value points to static
+ storage which will be overwritten by the next call to crypt. */
extern char *crypt (const char *__key, const char *__salt)
__THROW __nonnull ((1, 2));