diff options
Diffstat (limited to 'nixpkgs/pkgs/development/libraries/libxcrypt')
-rw-r--r-- | nixpkgs/pkgs/development/libraries/libxcrypt/check_passthru_matches.py | 70 | ||||
-rw-r--r-- | nixpkgs/pkgs/development/libraries/libxcrypt/default.nix | 68 |
2 files changed, 138 insertions, 0 deletions
diff --git a/nixpkgs/pkgs/development/libraries/libxcrypt/check_passthru_matches.py b/nixpkgs/pkgs/development/libraries/libxcrypt/check_passthru_matches.py new file mode 100644 index 000000000000..ebe728e9a69b --- /dev/null +++ b/nixpkgs/pkgs/development/libraries/libxcrypt/check_passthru_matches.py @@ -0,0 +1,70 @@ +import tarfile +import sys + + +def process_columns(line: list[str]) -> tuple[str, list[str]]: + match line: + case [name, h_prefix, nrbytes, flags]: + return (h_prefix, flags.lower().split(",")) + case other: + raise Exception("Unsupported hashes.conf line format", other) + + +def find_tar_file(tar: tarfile.TarFile, requested_name: str): + """Attempts to find a single file with given name in tarball.""" + all_names = tar.getnames() + + if requested_name in all_names: + return requested_name + + requested_suffix = f"/{requested_name}" + candidate_names = [name for name in all_names if name.endswith(requested_suffix)] + match candidate_names: + case [real_name]: + return real_name + case other: + raise KeyError( + f"Could not locate a single {requested_name} in the contents of the tarball." + ) + + +hashes_path = "lib/hashes.conf" + + +def main() -> None: + match sys.argv: + case [_name, src, enable_hashes, "--", *enabled_crypt_scheme_ids]: + pass + case other: + raise Exception( + "Incorrect number of arguments. Usage: check_passthru_matches.py <src> <enable_hashes> -- <enabled_crypt_scheme_ids...>" + ) + + with tarfile.open(src, "r") as tar: + real_hashes_path = find_tar_file(tar, hashes_path) + config = tar.extractfile(real_hashes_path).read().decode("utf-8") + + formats = [ + process_columns(columns) + for line in config.splitlines() + if not line.startswith("#") and len(columns := line.split()) > 0 + ] + expected_supported_formats = set( + prefix + for (prefix, flags) in formats + if enable_hashes in flags or enable_hashes == "all" + ) + passthru_supported_schemes = set( + f"${scheme}$" for scheme in enabled_crypt_scheme_ids + ) + + assert ( + len(expected_supported_formats - passthru_supported_schemes) == 0 + ), f"libxcrypt package enables the following crypt schemes that are not listed in passthru.enabledCryptSchemeIds: {expected_supported_formats - passthru_supported_schemes}" + assert ( + len(passthru_supported_schemes - expected_supported_formats) == 0 + ), f"libxcrypt package lists the following crypt schemes in passthru.enabledCryptSchemeIds that are not supported: {passthru_supported_schemes - expected_supported_formats}" + + +if __name__ == "__main__": + main() diff --git a/nixpkgs/pkgs/development/libraries/libxcrypt/default.nix b/nixpkgs/pkgs/development/libraries/libxcrypt/default.nix new file mode 100644 index 000000000000..d45155e80029 --- /dev/null +++ b/nixpkgs/pkgs/development/libraries/libxcrypt/default.nix @@ -0,0 +1,68 @@ +{ lib, stdenv, fetchurl, perl +# Update the enabled crypt scheme ids in passthru when the enabled hashes change +, enableHashes ? "strong" +, nixosTests +, runCommand +, python3 +}: + +stdenv.mkDerivation (finalAttrs: { + pname = "libxcrypt"; + version = "4.4.36"; + + src = fetchurl { + url = "https://github.com/besser82/libxcrypt/releases/download/v${finalAttrs.version}/libxcrypt-${finalAttrs.version}.tar.xz"; + hash = "sha256-5eH0yu4KAd4q7ibjE4gH1tPKK45nKHlm0f79ZeH9iUM="; + }; + + outputs = [ + "out" + "man" + ]; + + configureFlags = [ + "--enable-hashes=${enableHashes}" + "--enable-obsolete-api=glibc" + "--disable-failure-tokens" + # required for musl, android, march=native + "--disable-werror" + ]; + + nativeBuildInputs = [ + perl + ]; + + enableParallelBuilding = true; + + doCheck = true; + + passthru = { + tests = { + inherit (nixosTests) login shadow; + + passthruMatches = runCommand "libxcrypt-test-passthru-matches" { } '' + ${python3.interpreter} "${./check_passthru_matches.py}" ${lib.escapeShellArgs ([ finalAttrs.src enableHashes "--" ] ++ finalAttrs.passthru.enabledCryptSchemeIds)} + touch "$out" + ''; + }; + enabledCryptSchemeIds = [ + # https://github.com/besser82/libxcrypt/blob/v4.4.35/lib/hashes.conf + "y" # yescrypt + "gy" # gost_yescrypt + "7" # scrypt + "2b" # bcrypt + "2y" # bcrypt_y + "2a" # bcrypt_a + "6" # sha512crypt + ]; + }; + + meta = with lib; { + changelog = "https://github.com/besser82/libxcrypt/blob/v${finalAttrs.version}/NEWS"; + description = "Extended crypt library for descrypt, md5crypt, bcrypt, and others"; + homepage = "https://github.com/besser82/libxcrypt/"; + platforms = platforms.all; + maintainers = with maintainers; [ dottedmag hexa ]; + license = licenses.lgpl21Plus; + }; +}) |