diff mbox series

New configure option --disable-libcrypt.

Message ID 20180416013614.29962-1-zackw@panix.com
State New
Headers show
Series New configure option --disable-libcrypt. | expand

Commit Message

Zack Weinberg April 16, 2018, 1:36 a.m. UTC 
Some Linux distributions are experimenting with a new, separately
maintained and hopefully more agile implementation of the crypt(3)
APIs.  To facilitate this, add a configure option which disables
glibc's embedded libcrypt.  When this option is given, libcrypt.*
and crypt.h will not be built nor installed; the prototypes for
crypt and encrypt will not appear in unistd.h; the prototype for
setkey will not appear in stdlib.h; the feature test macro
_XOPEN_CRYPT will be undefined; and sysconf(_SC_XOPEN_CRYPT) will
return -1.

(There is an argument for defining _XOPEN_CRYPT to -1 instead.  The
POSIX spec says that undefined means the same thing as defined to -1,
but the Linux sysconf(3) manpage differs, so it's a question of who
believed what.  I went with undefined on the theory that people might
be testing it with #ifdef instead of #if >= 0.)

The bulk of the patch is just various places that need to take note of
libcrypt possibly not getting built.  The _interesting_ part is the
treatment of stdlib.h and unistd.h.  The declarations that need to
appear conditionally are moved to bits headers, each of which has two
variants, one which declares them and one which doesn't.  In the
source tree, neither of them has the name by which the parent header
includes it; very early in the build we select the appropriate one and
copy it to the expected name.  I would really appreciate a second pair
of eyes on the changes to Makerules, which are fragile to the point
that they don't work if they appear later in the file!  (Because
$(before-compile) is order-sensitive.)

	* configure.ac: Add new command-line option --disable-libcrypt.
	Force --disable-nss-crypt when --disable-libcrypt is given, with a
	warning if it was explicitly enabled.
	* configure, config.make.in: Regenerate.
	* Makeconfig: Only include 'crypt' in all-subdirs and rpath-dirs
	when $(build-libcrypt) is yes.
	* Makerules: Add rules to build bits/stdlib-crypt.h and
	bits/unistd-crypt.h depending on the value of $(build-libcrypt),
	in the before-compile phase.
	* posix/Makefile (headers): Add bits/unistd-crypt.h.
	* stdlib/Makefile (headers): Add bits/stdlib-crypt.h.

	* posix/unistd.h: Move declarations of _XOPEN_CRYPT, crypt, and
	encrypt to ...
	* posix/bits/unistd-crypt-yes.h: ...this new file.
	* posix/bits/unistd-crypt-no.h: New file, which doesn't declare
	anything.

	* stdlib/stdlib.h: Move declaration of setkey to...
	* posix/bits/stdlib-crypt-yes.h: ...this new file.
	* posix/bits/stdlib-crypt-no.h: New file, which doesn't declare
	anything.

	* conform/data/stdlib.h-data: Only expect setkey when HAVE_CRYPT
	is 1.
	* conform/data/unistd.h-data: Only expect _XOPEN_CRYPT, crypt, and
	encrypt when HAVE_CRYPT is 1.  When _XOPEN_CRYPT is expected, it
	should be a macro with value 1.
	* conform/conformtest.pl: Add new command line option
	--have-crypt.  When preprocessing control files, define HAVE_CRYPT
	to 1 when --have-crypt was given, 0 otherwise.
	* conform/Makefile: Pass --have-crypt to conformtest.pl when
	$(build-libcrypt) is yes.
	Only include libcrypt.a in linknamespace-libs-xsi and
	linknamespace-libs-XPG4 when $(build-libcrypt) is yes.
	* elf/Makefile (CFLAGS-tst-linkall-static.c): Only define
	USE_CRYPT to 1 when $(build-libcrypt) is yes.
	(tst-linkall-static): Only link with libcrypt.a when
	$(build-libcrypt) is yes.
	(localplt-built-dso): Only include libcrypt.so when
	$(build-libcrypt) is yes.
	* elf/tst-linkall-static.c: Only include crypt.h when USE_CRYPT is
	true.
---
 Makeconfig                     |  9 ++++++--
 Makerules                      | 19 ++++++++++++++++
 config.make.in                 |  1 +
 configure                      | 32 +++++++++++++++++++++++++-
 configure.ac                   | 11 +++++++++
 conform/Makefile               | 19 +++++++++++-----
 conform/conformtest.pl         |  8 +++++--
 conform/data/stdlib.h-data     |  2 +-
 conform/data/unistd.h-data     |  8 ++++---
 elf/Makefile                   | 27 +++++++++++++++-------
 elf/tst-linkall-static.c       |  2 ++
 posix/Makefile                 |  2 +-
 posix/bits/unistd-crypt-no.h   | 29 ++++++++++++++++++++++++
 posix/bits/unistd-crypt-yes.h  | 41 ++++++++++++++++++++++++++++++++++
 posix/unistd.h                 | 18 +++------------
 stdlib/Makefile                |  5 +++--
 stdlib/bits/stdlib-crypt-no.h  | 29 ++++++++++++++++++++++++
 stdlib/bits/stdlib-crypt-yes.h | 33 +++++++++++++++++++++++++++
 stdlib/stdlib.h                |  9 +++-----
 19 files changed, 258 insertions(+), 46 deletions(-)
 create mode 100644 posix/bits/unistd-crypt-no.h
 create mode 100644 posix/bits/unistd-crypt-yes.h
 create mode 100644 stdlib/bits/stdlib-crypt-no.h
 create mode 100644 stdlib/bits/stdlib-crypt-yes.h

Comments

Florian Weimer April 16, 2018, 3:10 p.m. UTC | #1 
On 04/16/2018 03:36 AM, Zack Weinberg wrote:
> diff --git a/elf/tst-linkall-static.c b/elf/tst-linkall-static.c
> index e8df38f74e..0ffae7c723 100644
> --- a/elf/tst-linkall-static.c
> +++ b/elf/tst-linkall-static.c
> @@ -18,7 +18,9 @@
>   
>   #include <math.h>
>   #include <pthread.h>
> +#if USE_CRYPT
>   #include <crypt.h>
> +#endif

The #include should be indented.

> diff --git a/posix/unistd.h b/posix/unistd.h
> index 4d149f9945..d9ac9d4c51 100644
> --- a/posix/unistd.h
> +++ b/posix/unistd.h
> @@ -107,9 +107,6 @@ __BEGIN_DECLS
>   /* The X/Open Unix extensions are available.  */
>   #define _XOPEN_UNIX	1
>   
> -/* Encryption is present.  */
> -#define	_XOPEN_CRYPT	1
> -
>   /* The enhanced internationalization capabilities according to XPG4.2
>      are present.  */
>   #define	_XOPEN_ENH_I18N	1
> @@ -1118,20 +1115,11 @@ ssize_t copy_file_range (int __infd, __off64_t *__pinoff,
>   extern int fdatasync (int __fildes);
>   #endif /* Use POSIX199309 */
>   
> +/* The X/Open Encryption Option Group may or may not be supported in
> +   this release of the GNU C Library.  */
> +#include <bits/unistd-crypt.h>

Based on the Fedora experience, I wonder if it's not best to keep 
support _XOPEN_CRYPT unconditionally.  GCC still supports implicit 
function definitions by default and coerces the implied int return type 
to a pointer value.  This means that we drop the prototype from 
<unistd.h>, a program like

#include <stdio.h>
#include <unistd.h>

int
main (int argc, char **argv)
{
   return puts(crypt(argv[1], argv[2]));
}

still builds and links  successfully, but crashes at run time on 64-bit 
architectures.

 From a developer perspective, it would avoid a bit of hassle if we just 
said that if a distribution builds with --disable-libcrypt, it still 
needs to supply a compatible libcrypt with a definition of crypt and a 
default symbol version.

With encrypt and setkey, the situation is less pronounced because these 
functions are obsolete, and we can produce link errors if developers use 
them.

Thanks,
Florian
Zack Weinberg April 16, 2018, 3:56 p.m. UTC | #2 
On Mon, Apr 16, 2018 at 11:10 AM, Florian Weimer <fweimer@redhat.com> wrote:
> On 04/16/2018 03:36 AM, Zack Weinberg wrote:
>>
>> diff --git a/elf/tst-linkall-static.c b/elf/tst-linkall-static.c
>> index e8df38f74e..0ffae7c723 100644
>> --- a/elf/tst-linkall-static.c
>> +++ b/elf/tst-linkall-static.c
>> @@ -18,7 +18,9 @@
>>     #include <math.h>
>>   #include <pthread.h>
>> +#if USE_CRYPT
>>   #include <crypt.h>
>> +#endif
>
> The #include should be indented.

Will fix.

>> +/* The X/Open Encryption Option Group may or may not be supported in
>> +   this release of the GNU C Library.  */
>> +#include <bits/unistd-crypt.h>
>
> Based on the Fedora experience, I wonder if it's not best to keep support
> _XOPEN_CRYPT unconditionally.  GCC still supports implicit function
> definitions by default and coerces the implied int return type to a pointer
> value.
...
> From a developer perspective, it would avoid a bit of hassle if we just said
> that if a distribution builds with --disable-libcrypt, it still needs to
> supply a compatible libcrypt with a definition of crypt and a default symbol
> version.
>
> With encrypt and setkey, the situation is less pronounced because these
> functions are obsolete, and we can produce link errors if developers use
> them.

Let me see if I understand what you have in mind:  In
--disable-libcrypt mode, we would preserve _XOPEN_CRYPT, with value 1,
and the prototype for crypt in unistd.h.  We would also preserve the
prototypes for encrypt and setkey, but maybe with
__attribute__((deprecated)).  We just wouldn't provide crypt.h or
libcrypt.  It's not a conformance violation for us to continue
defining _XOPEN_CRYPT as 1 because, as long as you get libcrypt from
_somewhere_, it will work at runtime.  Is that right?

I like this plan because it means the patch doesn't have to touch Makerules :)

zw

p.s. Maybe someone with the ability to file Austin Group defect
reports or interpretation requests or whatever they're called should
request the formal deprecation of encrypt and setkey?
Zack Weinberg April 16, 2018, 6:41 p.m. UTC | #3 
On Mon, Apr 16, 2018 at 11:56 AM, Zack Weinberg <zackw@panix.com> wrote:
>
> p.s. Maybe someone with the ability to file Austin Group defect
> reports or interpretation requests or whatever they're called should
> request the formal deprecation of encrypt and setkey?

Turns out I have that ability!  http://austingroupbugs.net/view.php?id=1192
Florian Weimer April 17, 2018, 10:21 a.m. UTC | #4 
On 04/16/2018 05:56 PM, Zack Weinberg wrote:

> Let me see if I understand what you have in mind:  In
> --disable-libcrypt mode, we would preserve _XOPEN_CRYPT, with value 1,
> and the prototype for crypt in unistd.h.

My main proposal is preserving the prototype for crypt, under 
_GNU_SOURCE if necessary (without defining _XOPEN_CRYPT).

I just don't see value in the friction caused by dropping the definition.

> We would also preserve the
> prototypes for encrypt and setkey, but maybe with
> __attribute__((deprecated)).

I'm less concerned about these two functions.  We can do there whatever 
we think is best from a standard compliance perspective, I think.  There 
simply aren't enough users to make a difference, I think.  This is very 
different for the crypt function.

> We just wouldn't provide crypt.h or libcrypt.

Exactly.

> It's not a conformance violation for us to continue
> defining _XOPEN_CRYPT as 1 because, as long as you get libcrypt from
> _somewhere_, it will work at runtime.  Is that right?

Right.

It could still be a conformance violation for setkey/encrypt because 
current libxcrypt (at least the version in Fedora) does not provide the 
functions anymore for linking:

$ eu-readelf --symbols=.dynsym /lib64/libcrypt.so.1 | grep encrypt
    38: 000000000000b330     20 FUNC    GLOBAL DEFAULT       12 
encrypt_r@GLIBC_2.2.5
    52: 000000000000b360     16 FUNC    GLOBAL DEFAULT       12 
encrypt@GLIBC_2.2.5

Thanks,
Florian
Zack Weinberg April 18, 2018, 1:43 p.m. UTC | #5 
On Tue, Apr 17, 2018 at 6:21 AM, Florian Weimer <fweimer@redhat.com> wrote:
> On 04/16/2018 05:56 PM, Zack Weinberg wrote:
>
>> Let me see if I understand what you have in mind:  In
>> --disable-libcrypt mode, we would preserve _XOPEN_CRYPT, with value 1,
>> and the prototype for crypt in unistd.h.
>
> My main proposal is preserving the prototype for crypt, under _GNU_SOURCE if
> necessary (without defining _XOPEN_CRYPT).
>
> I just don't see value in the friction caused by dropping the definition.

Makes sense.

> It could still be a conformance violation for setkey/encrypt because current
> libxcrypt (at least the version in Fedora) does not provide the functions
> anymore for linking:
>
> $ eu-readelf --symbols=.dynsym /lib64/libcrypt.so.1 | grep encrypt
>    38: 000000000000b330     20 FUNC    GLOBAL DEFAULT       12
> encrypt_r@GLIBC_2.2.5
>    52: 000000000000b360     16 FUNC    GLOBAL DEFAULT       12
> encrypt@GLIBC_2.2.5

Yeah, I did that on purpose; the total insecurity of single DES
outweighs standard compliance in this case, I think.  And, as you say,
there probably aren't very many users.

I'll send a revised patch shortly.

zw
diff mbox series

Patch

diff --git a/Makeconfig b/Makeconfig
index 1afe86475c..7ead0f3fc3 100644
--- a/Makeconfig
+++ b/Makeconfig
@@ -566,7 +566,7 @@  link-libc-printers-tests = $(link-libc-rpath) \
 			   $(link-libc-tests-after-rpath-link)
 
 # This is how to find at build-time things that will be installed there.
-rpath-dirs = math elf dlfcn nss nis rt resolv crypt mathvec support
+rpath-dirs = math elf dlfcn nss nis rt resolv mathvec support
 rpath-link = \
 $(common-objdir):$(subst $(empty) ,:,$(patsubst ../$(subdir),.,$(rpath-dirs:%=$(common-objpfx)%)))
 else  # build-static
@@ -1205,9 +1205,14 @@  all-subdirs = csu assert ctype locale intl catgets math setjmp signal	    \
 	      stdlib stdio-common libio malloc string wcsmbs time dirent    \
 	      grp pwd posix io termios resource misc socket sysvipc gmon    \
 	      gnulib iconv iconvdata wctype manual shadow gshadow po argp   \
-	      crypt localedata timezone rt conform debug mathvec support    \
+	      localedata timezone rt conform debug mathvec support	    \
 	      dlfcn elf
 
+ifeq ($(build-libcrypt),yes)
+all-subdirs += crypt
+rpath-dirs += crypt
+endif
+
 ifndef avoid-generated
 # sysd-sorted itself will contain rules making the sysd-sorted target
 # depend on Depend files.  But if you just added a Depend file to an
diff --git a/Makerules b/Makerules
index b2c2724fcb..9faa025a8d 100644
--- a/Makerules
+++ b/Makerules
@@ -115,6 +115,25 @@  $(common-objpfx)ldbl-compat-choose.h: $(common-objpfx)versions.stmp
 endif # avoid-generated
 endif # $(build-shared) = yes
 
+# unistd.h and stdlib.h may or may not declare functions from libcrypt,
+# depending on configure options.  The gen-as-const-headers process may
+# attempt to read these headers.
+$(common-objpfx)bits/stdlib-crypt.h: \
+		$(..)stdlib/bits/stdlib-crypt-$(build-libcrypt).h \
+		$(common-objpfx)config.make
+	cp $< $@T
+	mv -f $@T $@
+common-generated += $(common-objpfx)bits/stdlib-crypt.h
+before-compile += $(common-objpfx)bits/stdlib-crypt.h
+
+$(common-objpfx)bits/unistd-crypt.h: \
+		$(..)posix/bits/unistd-crypt-$(build-libcrypt).h \
+		$(common-objpfx)config.make
+	cp $< $@T
+	mv -f $@T $@
+common-generated += $(common-objpfx)bits/unistd-crypt.h
+before-compile += $(common-objpfx)bits/unistd-crypt.h
+
 ifndef avoid-generated
 ifneq (,$(CXX))
 # If C++ headers <cstdlib> or <cmath> are used, GCC 6 will include
diff --git a/config.make.in b/config.make.in
index 9e5e24b2c6..3efefccfdb 100644
--- a/config.make.in
+++ b/config.make.in
@@ -96,6 +96,7 @@  cross-compiling = @cross_compiling@
 force-install = @force_install@
 link-obsolete-rpc = @link_obsolete_rpc@
 build-obsolete-nsl = @build_obsolete_nsl@
+build-libcrypt = @build_libcrypt@
 build-nscd = @build_nscd@
 use-nscd = @use_nscd@
 build-hardcoded-path-in-tests= @hardcoded_path_in_tests@
diff --git a/configure b/configure
index 7a8bd3f817..5adbeba70a 100755
--- a/configure
+++ b/configure
@@ -676,6 +676,7 @@  build_obsolete_nsl
 link_obsolete_rpc
 libc_cv_static_nss_crypt
 libc_cv_nss_crypt
+build_libcrypt
 experimental_malloc
 enable_werror
 all_warnings
@@ -730,6 +731,7 @@  infodir
 docdir
 oldincludedir
 includedir
+runstatedir
 localstatedir
 sharedstatedir
 sysconfdir
@@ -779,6 +781,7 @@  enable_all_warnings
 enable_werror
 enable_multi_arch
 enable_experimental_malloc
+enable_libcrypt
 enable_nss_crypt
 enable_obsolete_rpc
 enable_obsolete_nsl
@@ -840,6 +843,7 @@  datadir='${datarootdir}'
 sysconfdir='${prefix}/etc'
 sharedstatedir='${prefix}/com'
 localstatedir='${prefix}/var'
+runstatedir='${localstatedir}/run'
 includedir='${prefix}/include'
 oldincludedir='/usr/include'
 docdir='${datarootdir}/doc/${PACKAGE_TARNAME}'
@@ -1092,6 +1096,15 @@  do
   | -silent | --silent | --silen | --sile | --sil)
     silent=yes ;;
 
+  -runstatedir | --runstatedir | --runstatedi | --runstated \
+  | --runstate | --runstat | --runsta | --runst | --runs \
+  | --run | --ru | --r)
+    ac_prev=runstatedir ;;
+  -runstatedir=* | --runstatedir=* | --runstatedi=* | --runstated=* \
+  | --runstate=* | --runstat=* | --runsta=* | --runst=* | --runs=* \
+  | --run=* | --ru=* | --r=*)
+    runstatedir=$ac_optarg ;;
+
   -sbindir | --sbindir | --sbindi | --sbind | --sbin | --sbi | --sb)
     ac_prev=sbindir ;;
   -sbindir=* | --sbindir=* | --sbindi=* | --sbind=* | --sbin=* \
@@ -1229,7 +1242,7 @@  fi
 for ac_var in	exec_prefix prefix bindir sbindir libexecdir datarootdir \
 		datadir sysconfdir sharedstatedir localstatedir includedir \
 		oldincludedir docdir infodir htmldir dvidir pdfdir psdir \
-		libdir localedir mandir
+		libdir localedir mandir runstatedir
 do
   eval ac_val=\$$ac_var
   # Remove trailing slashes.
@@ -1382,6 +1395,7 @@  Fine tuning of the installation directories:
   --sysconfdir=DIR        read-only single-machine data [PREFIX/etc]
   --sharedstatedir=DIR    modifiable architecture-independent data [PREFIX/com]
   --localstatedir=DIR     modifiable single-machine data [PREFIX/var]
+  --runstatedir=DIR       modifiable per-process data [LOCALSTATEDIR/run]
   --libdir=DIR            object code libraries [EPREFIX/lib]
   --includedir=DIR        C header files [PREFIX/include]
   --oldincludedir=DIR     C header files for non-gcc [/usr/include]
@@ -1448,6 +1462,8 @@  Optional Features:
                           architectures
   --disable-experimental-malloc
                           disable experimental malloc features
+  --disable-libcrypt      do not build nor install the password hashing
+                          library, libcrypt
   --enable-nss-crypt      enable libcrypt to use nss
   --enable-obsolete-rpc   build and install the obsolete RPC code for
                           link-time usage
@@ -3505,6 +3521,15 @@  fi
 
 
 
+# Check whether --enable-libcrypt was given.
+if test "${enable_libcrypt+set}" = set; then :
+  enableval=$enable_libcrypt; build_libcrypt=$enableval
+else
+  build_libcrypt=yes
+fi
+
+
+
 # Check whether --enable-nss-crypt was given.
 if test "${enable_nss_crypt+set}" = set; then :
   enableval=$enable_nss_crypt; nss_crypt=$enableval
@@ -3512,6 +3537,11 @@  else
   nss_crypt=no
 fi
 
+if test x$build_libcrypt = xno && test x$nss_crypt = xyes; then
+  { $as_echo "$as_me:${as_lineno-$LINENO}: WARNING: --enable-nss-crypt has no effect when libcrypt is disabled" >&5
+$as_echo "$as_me: WARNING: --enable-nss-crypt has no effect when libcrypt is disabled" >&2;}
+  nss_crypt=no
+fi
 if test x$nss_crypt = xyes; then
   nss_includes=-I$(nss-config --includedir 2>/dev/null)
   if test $? -ne 0; then
diff --git a/configure.ac b/configure.ac
index ca1282a6b3..d66d97dad3 100644
--- a/configure.ac
+++ b/configure.ac
@@ -302,11 +302,22 @@  AC_ARG_ENABLE([experimental-malloc],
 	      [experimental_malloc=yes])
 AC_SUBST(experimental_malloc)
 
+AC_ARG_ENABLE([libcrypt],
+              AC_HELP_STRING([--disable-libcrypt],
+                             [do not build nor install the password hashing library, libcrypt]),
+              [build_libcrypt=$enableval],
+              [build_libcrypt=yes])
+AC_SUBST(build_libcrypt)
+
 AC_ARG_ENABLE([nss-crypt],
 	      AC_HELP_STRING([--enable-nss-crypt],
 			     [enable libcrypt to use nss]),
 	      [nss_crypt=$enableval],
 	      [nss_crypt=no])
+if test x$build_libcrypt = xno && test x$nss_crypt = xyes; then
+  AC_MSG_WARN([--enable-nss-crypt has no effect when libcrypt is disabled])
+  nss_crypt=no
+fi
 if test x$nss_crypt = xyes; then
   nss_includes=-I$(nss-config --includedir 2>/dev/null)
   if test $? -ne 0; then
diff --git a/conform/Makefile b/conform/Makefile
index 864fdeca21..693ae38e6a 100644
--- a/conform/Makefile
+++ b/conform/Makefile
@@ -171,6 +171,11 @@  conformtest-cross =
 else
 conformtest-cross = --cross
 endif
+ifeq ($(build-libcrypt),yes)
+conformtest-have-crypt = --have-crypt
+else
+conformtest-have-crypt =
+endif
 $(conformtest-header-tests): $(objpfx)%/conform.out: \
 			     conformtest.pl $(conformtest-headers-data)
 	(set -e; std_hdr=$*; std=$${std_hdr%%/*}; hdr=$${std_hdr#*/}; \
@@ -178,7 +183,7 @@  $(conformtest-header-tests): $(objpfx)%/conform.out: \
 	 $(PERL) -I. conformtest.pl --tmpdir=$(@D)/scratch --cc='$(CC)' \
 		 --flags='$(conformtest-cc-flags)' --standard=$$std \
 		 --headers=$$hdr $(conformtest-xfail) $(conformtest-cross) \
-		 > $@); \
+		 $(conformtest-have-crypt) > $@); \
 	$(evaluate-test)
 
 $(linknamespace-symlists-tests): $(objpfx)symlist-%: list-header-symbols.pl
@@ -193,13 +198,11 @@  linknamespace-libs-thr = $(linknamespace-libs-isoc) \
 			 $(common-objpfx)rt/librt.a $(static-thread-library)
 linknamespace-libs-posix = $(linknamespace-libs-thr) \
 			   $(common-objpfx)dlfcn/libdl.a
-linknamespace-libs-xsi = $(linknamespace-libs-posix) \
-			 $(common-objpfx)crypt/libcrypt.a
+linknamespace-libs-xsi = $(linknamespace-libs-posix)
 linknamespace-libs-ISO = $(linknamespace-libs-isoc)
 linknamespace-libs-ISO99 = $(linknamespace-libs-isoc)
 linknamespace-libs-ISO11 = $(linknamespace-libs-isoc)
-linknamespace-libs-XPG4 = $(linknamespace-libs-isoc) \
-			  $(common-objpfx)crypt/libcrypt.a
+linknamespace-libs-XPG4 = $(linknamespace-libs-isoc)
 linknamespace-libs-XPG42 = $(linknamespace-libs-XPG4)
 linknamespace-libs-POSIX = $(linknamespace-libs-thr)
 linknamespace-libs-UNIX98 = $(linknamespace-libs-xsi)
@@ -209,6 +212,12 @@  linknamespace-libs-XOPEN2K8 = $(linknamespace-libs-xsi)
 linknamespace-libs = $(foreach std,$(conformtest-standards),\
 				   $(linknamespace-libs-$(std)))
 
+ifeq ($(build-libcrypt),yes)
+linknamespace-libs-xsi += $(common-objpfx)crypt/libcrypt.a
+linknamespace-libs-XPG4 += $(common-objpfx)crypt/libcrypt.a
+endif
+
+
 $(linknamespace-symlist-stdlibs-tests): $(objpfx)symlist-stdlibs-%: \
 					$(linknamespace-libs)
 	LC_ALL=C $(READELF) -W -s $(linknamespace-libs-$*) > $@; \
diff --git a/conform/conformtest.pl b/conform/conformtest.pl
index cb500f0e76..0d09b62489 100644
--- a/conform/conformtest.pl
+++ b/conform/conformtest.pl
@@ -9,9 +9,11 @@  $CC = "gcc";
 $tmpdir = "/tmp";
 $cross = "";
 $xfail_str = "";
+$have_crypt = 0;
 GetOptions ('headers=s' => \@headers, 'standard=s' => \$standard,
 	    'flags=s' => \$flags, 'cc=s' => \$CC, 'tmpdir=s' => \$tmpdir,
-	    'cross' => \$cross, 'xfail=s' => \$xfail_str);
+	    'cross' => \$cross, 'xfail=s' => \$xfail_str,
+            'have-crypt' => \$have_crypt);
 @headers = split(/,/,join(',',@headers));
 
 # List of the headers we are testing.
@@ -328,7 +330,9 @@  while ($#headers >= 0) {
   printf ("Testing <$h>\n");
   printf ("----------" . "-" x length ($h) . "\n");
 
-  open (CONTROL, "$CC -E -D$standard -std=c99 -x c data/$h-data |");
+  open (CONTROL,
+        "$CC -E -x c -std=c99 -D$standard -DHAVE_CRYPT=$have_crypt " .
+        "data/$h-data |");
   control: while (<CONTROL>) {
     chop;
     next control if (/^#/);
diff --git a/conform/data/stdlib.h-data b/conform/data/stdlib.h-data
index d8fcccc2fb..4a0fdfd213 100644
--- a/conform/data/stdlib.h-data
+++ b/conform/data/stdlib.h-data
@@ -149,7 +149,7 @@  function {unsigned short int*} seed48 (unsigned short int[3])
 #if !defined ISO && !defined ISO99 && !defined ISO11 && !defined POSIX && !defined XPG4 && !defined XPG42 && !defined UNIX98
 function int setenv (const char*, const char*, int)
 #endif
-#if !defined ISO && !defined ISO99 && !defined ISO11 && !defined POSIX && !defined POSIX2008
+#if HAVE_CRYPT && !defined ISO && !defined ISO99 && !defined ISO11 && !defined POSIX && !defined POSIX2008
 function void setkey (const char*)
 #endif
 #if !defined ISO && !defined ISO99 && !defined ISO11 && !defined XPG4 && !defined POSIX && !defined POSIX2008
diff --git a/conform/data/unistd.h-data b/conform/data/unistd.h-data
index ddf4f25132..3ea9f0c49f 100644
--- a/conform/data/unistd.h-data
+++ b/conform/data/unistd.h-data
@@ -86,7 +86,9 @@  optional-constant _POSIX2_FORT_DEV
 optional-constant _POSIX2_FORT_RUN
 optional-constant _POSIX2_SW_DEV
 # if !defined POSIX && !defined POSIX2008
-optional-constant _XOPEN_CRYPT
+#  if HAVE_CRYPT
+macro-int-constant _XOPEN_CRYPT {int} == 1
+#  endif
 optional-constant _XOPEN_ENH_I18N
 optional-constant _XOPEN_LEGACY
 optional-constant _XOPEN_REALTIME
@@ -437,7 +439,7 @@  function int chroot (const char*)
 function int chown (const char*, uid_t, gid_t)
 function int close (int)
 function size_t confstr (int, char*, size_t)
-#if !defined POSIX && !defined POSIX2008
+#if HAVE_CRYPT && !defined POSIX && !defined POSIX2008
 function {char*} crypt (const char*, const char*)
 #endif
 #if defined XPG4 || defined XPG42 || defined UNIX98
@@ -449,7 +451,7 @@  allow cuserid
 #endif
 function int dup (int)
 function int dup2 (int, int)
-#if !defined POSIX && !defined POSIX2008
+#if HAVE_CRYPT && !defined POSIX && !defined POSIX2008
 function void encrypt (char[64], int)
 #endif
 function int execl (const char*, const char*, ...)
diff --git a/elf/Makefile b/elf/Makefile
index e658928305..aa8434c875 100644
--- a/elf/Makefile
+++ b/elf/Makefile
@@ -385,14 +385,21 @@  $(objpfx)tst-_dl_addr_inside_object: $(objpfx)dl-addr-obj.os
 CFLAGS-tst-_dl_addr_inside_object.c += $(PIE-ccflag)
 endif
 
-# By default tst-linkall-static should try to use crypt routines to test
-# static libcrypt use.
+# We can only test static libcrypt use if libcrypt has been built,
+# and either NSS crypto is not in use, or static NSS libraries are
+# available.
+ifeq ($(build-libcrypt),no)
+CFLAGS-tst-linkall-static.c += -DUSE_CRYPT=0
+else
+ifeq ($(nss-crypt),no)
+CFLAGS-tst-linkall-static.c += -DUSE_CRYPT=1
+else
+ifeq ($(static-nss-crypt),no)
+CFLAGS-tst-linkall-static.c += -DUSE_CRYPT=0
+else
 CFLAGS-tst-linkall-static.c += -DUSE_CRYPT=1
-# However, if we are using NSS crypto and we don't have a static
-# library, then we exclude the use of crypt functions in the test.
-# We similarly exclude libcrypt.a from the static link (see below).
-ifeq (yesno,$(nss-crypt)$(static-nss-crypt))
-CFLAGS-tst-linkall-static.c += -UUSE_CRYPT -DUSE_CRYPT=0
+endif
+endif
 endif
 
 include ../Rules
@@ -1113,7 +1120,6 @@  localplt-built-dso := $(addprefix $(common-objpfx),\
 				  rt/librt.so \
 				  dlfcn/libdl.so \
 				  resolv/libresolv.so \
-				  crypt/libcrypt.so \
 		       )
 ifeq ($(build-mathvec),yes)
 localplt-built-dso += $(addprefix $(common-objpfx), mathvec/libmvec.so)
@@ -1121,6 +1127,9 @@  endif
 ifeq ($(have-thread-library),yes)
 localplt-built-dso += $(filter-out %_nonshared.a, $(shared-thread-library))
 endif
+ifeq ($(build-libcrypt),yes)
+localplt-built-dso += $(addprefix $(common-objpfx), crypt/libcrypt.so)
+endif
 
 vpath localplt.data $(+sysdep_dirs)
 
@@ -1395,6 +1404,7 @@  $(objpfx)tst-linkall-static: \
   $(common-objpfx)resolv/libanl.a \
   $(static-thread-library)
 
+ifeq ($(build-libcrypt),yes)
 # If we are using NSS crypto and we have the ability to link statically
 # then we include libcrypt.a, otherwise we leave out libcrypt.a and
 # link as much as we can into the tst-linkall-static test.  This assumes
@@ -1410,6 +1420,7 @@  ifeq (no,$(nss-crypt))
 $(objpfx)tst-linkall-static: \
   $(common-objpfx)crypt/libcrypt.a
 endif
+endif
 
 # The application depends on the DSO, and the DSO loads the plugin.
 # The plugin also depends on the DSO. This creates the circular
diff --git a/elf/tst-linkall-static.c b/elf/tst-linkall-static.c
index e8df38f74e..0ffae7c723 100644
--- a/elf/tst-linkall-static.c
+++ b/elf/tst-linkall-static.c
@@ -18,7 +18,9 @@ 
 
 #include <math.h>
 #include <pthread.h>
+#if USE_CRYPT
 #include <crypt.h>
+#endif
 #include <resolv.h>
 #include <dlfcn.h>
 #include <utmp.h>
diff --git a/posix/Makefile b/posix/Makefile
index 51dcf129ec..c43ca1cb49 100644
--- a/posix/Makefile
+++ b/posix/Makefile
@@ -31,7 +31,7 @@  headers	:= sys/utsname.h sys/times.h sys/wait.h sys/types.h unistd.h	      \
 	   bits/local_lim.h tar.h bits/utsname.h bits/confname.h	      \
 	   bits/waitflags.h bits/waitstatus.h sys/unistd.h sched.h	      \
 	   bits/sched.h bits/cpu-set.h re_comp.h wait.h bits/environments.h   \
-	   cpio.h spawn.h bits/unistd.h
+	   cpio.h spawn.h bits/unistd.h bits/unistd-crypt.h
 
 routines :=								      \
 	uname								      \
diff --git a/posix/bits/unistd-crypt-no.h b/posix/bits/unistd-crypt-no.h
new file mode 100644
index 0000000000..d4bbd7a10e
--- /dev/null
+++ b/posix/bits/unistd-crypt-no.h
@@ -0,0 +1,29 @@ 
+/* X/Open Encryption Option Group -- unistd.h declarations.
+   Copyright (C) 2018 Free Software Foundation, Inc.
+   This file is part of the GNU C Library.
+
+   The GNU C Library is free software; you can redistribute it and/or
+   modify it under the terms of the GNU Lesser General Public
+   License as published by the Free Software Foundation; either
+   version 2.1 of the License, or (at your option) any later version.
+
+   The GNU C Library is distributed in the hope that it will be useful,
+   but WITHOUT ANY WARRANTY; without even the implied warranty of
+   MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU
+   Lesser General Public License for more details.
+
+   You should have received a copy of the GNU Lesser General Public
+   License along with the GNU C Library; if not, see
+   <http://www.gnu.org/licenses/>.  */
+
+#ifndef _BITS_UNISTD_CRYPT_H
+#define _BITS_UNISTD_CRYPT_H 1
+
+#ifndef _UNISTD_H
+# error "Never include <bits/unistd-crypt.h> directly; use <unistd.h> instead."
+#endif
+
+/* In this configuration, the functions crypt, encrypt, and setkey are
+   not available.  */
+
+#endif
diff --git a/posix/bits/unistd-crypt-yes.h b/posix/bits/unistd-crypt-yes.h
new file mode 100644
index 0000000000..32f8633fef
--- /dev/null
+++ b/posix/bits/unistd-crypt-yes.h
@@ -0,0 +1,41 @@ 
+/* X/Open Encryption Option Group -- unistd.h declarations.
+   Copyright (C) 2018 Free Software Foundation, Inc.
+   This file is part of the GNU C Library.
+
+   The GNU C Library is free software; you can redistribute it and/or
+   modify it under the terms of the GNU Lesser General Public
+   License as published by the Free Software Foundation; either
+   version 2.1 of the License, or (at your option) any later version.
+
+   The GNU C Library is distributed in the hope that it will be useful,
+   but WITHOUT ANY WARRANTY; without even the implied warranty of
+   MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU
+   Lesser General Public License for more details.
+
+   You should have received a copy of the GNU Lesser General Public
+   License along with the GNU C Library; if not, see
+   <http://www.gnu.org/licenses/>.  */
+
+#ifndef _BITS_UNISTD_CRYPT_H
+#define _BITS_UNISTD_CRYPT_H 1
+
+#ifndef _UNISTD_H
+# error "Never include <bits/unistd-crypt.h> directly; use <unistd.h> instead."
+#endif
+
+/* In this configuration, the functions crypt, encrypt, and setkey are
+   available.  */
+#define	_XOPEN_CRYPT	1
+
+#ifdef __USE_XOPEN
+/* Encrypt at most 8 characters from KEY using salt to perturb DES.  */
+extern char *crypt (const char *__key, const char *__salt)
+     __THROW __nonnull ((1, 2));
+
+/* Encrypt data in BLOCK in place if EDFLAG is zero; otherwise decrypt
+   block in place.  */
+extern void encrypt (char *__glibc_block, int __edflag)
+     __THROW __nonnull ((1));
+#endif
+
+#endif
diff --git a/posix/unistd.h b/posix/unistd.h
index 4d149f9945..d9ac9d4c51 100644
--- a/posix/unistd.h
+++ b/posix/unistd.h
@@ -107,9 +107,6 @@  __BEGIN_DECLS
 /* The X/Open Unix extensions are available.  */
 #define _XOPEN_UNIX	1
 
-/* Encryption is present.  */
-#define	_XOPEN_CRYPT	1
-
 /* The enhanced internationalization capabilities according to XPG4.2
    are present.  */
 #define	_XOPEN_ENH_I18N	1
@@ -1118,20 +1115,11 @@  ssize_t copy_file_range (int __infd, __off64_t *__pinoff,
 extern int fdatasync (int __fildes);
 #endif /* Use POSIX199309 */
 
+/* The X/Open Encryption Option Group may or may not be supported in
+   this release of the GNU C Library.  */
+#include <bits/unistd-crypt.h>
 
-/* XPG4.2 specifies that prototypes for the encryption functions must
-   be defined here.  */
 #ifdef	__USE_XOPEN
-/* Encrypt at most 8 characters from KEY using salt to perturb DES.  */
-extern char *crypt (const char *__key, const char *__salt)
-     __THROW __nonnull ((1, 2));
-
-/* Encrypt data in BLOCK in place if EDFLAG is zero; otherwise decrypt
-   block in place.  */
-extern void encrypt (char *__glibc_block, int __edflag)
-     __THROW __nonnull ((1));
-
-
 /* Swab pairs bytes in the first N bytes of the area pointed to by
    FROM and copy the result to TO.  The value of TO must not be in the
    range [FROM - N + 1, FROM - 1].  If N is odd the first byte in FROM
diff --git a/stdlib/Makefile b/stdlib/Makefile
index af1643c0c4..ceca710d1f 100644
--- a/stdlib/Makefile
+++ b/stdlib/Makefile
@@ -22,7 +22,8 @@  subdir	:= stdlib
 
 include ../Makeconfig
 
-headers	:= stdlib.h bits/stdlib.h bits/stdlib-ldbl.h bits/stdlib-float.h      \
+headers	:= stdlib.h bits/stdlib.h					      \
+	   bits/stdlib-crypt.h bits/stdlib-ldbl.h bits/stdlib-float.h	      \
 	   monetary.h bits/monetary-ldbl.h				      \
 	   inttypes.h stdint.h bits/wordsize.h				      \
 	   errno.h sys/errno.h bits/errno.h bits/types/error_t.h	      \
@@ -133,7 +134,7 @@  aux += fpioconst mp_clz_tab
 tests-extras += tst-putenvmod
 extra-test-objs += tst-putenvmod.os
 
-generated += isomac isomac.out tst-putenvmod.so
+generated += isomac isomac.out tst-putenvmod.so bits/stdlib-crypt.h
 
 CFLAGS-bsearch.c += $(uses-callbacks)
 CFLAGS-msort.c += $(uses-callbacks)
diff --git a/stdlib/bits/stdlib-crypt-no.h b/stdlib/bits/stdlib-crypt-no.h
new file mode 100644
index 0000000000..ed0fa5b031
--- /dev/null
+++ b/stdlib/bits/stdlib-crypt-no.h
@@ -0,0 +1,29 @@ 
+/* X/Open Encryption Option Group -- stdlib.h declarations.
+   Copyright (C) 2018 Free Software Foundation, Inc.
+   This file is part of the GNU C Library.
+
+   The GNU C Library is free software; you can redistribute it and/or
+   modify it under the terms of the GNU Lesser General Public
+   License as published by the Free Software Foundation; either
+   version 2.1 of the License, or (at your option) any later version.
+
+   The GNU C Library is distributed in the hope that it will be useful,
+   but WITHOUT ANY WARRANTY; without even the implied warranty of
+   MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU
+   Lesser General Public License for more details.
+
+   You should have received a copy of the GNU Lesser General Public
+   License along with the GNU C Library; if not, see
+   <http://www.gnu.org/licenses/>.  */
+
+#ifndef _BITS_STDLIB_CRYPT_H
+#define _BITS_STDLIB_CRYPT_H 1
+
+#ifndef _STDLIB_H
+# error "Never include <bits/stdlib-crypt.h> directly; use <stdlib.h> instead."
+#endif
+
+/* In this configuration, the functions crypt, encrypt, and setkey are
+   not available.  */
+
+#endif
diff --git a/stdlib/bits/stdlib-crypt-yes.h b/stdlib/bits/stdlib-crypt-yes.h
new file mode 100644
index 0000000000..f61ade57c4
--- /dev/null
+++ b/stdlib/bits/stdlib-crypt-yes.h
@@ -0,0 +1,33 @@ 
+/* X/Open Encryption Option Group -- stdlib.h declarations.
+   Copyright (C) 2018 Free Software Foundation, Inc.
+   This file is part of the GNU C Library.
+
+   The GNU C Library is free software; you can redistribute it and/or
+   modify it under the terms of the GNU Lesser General Public
+   License as published by the Free Software Foundation; either
+   version 2.1 of the License, or (at your option) any later version.
+
+   The GNU C Library is distributed in the hope that it will be useful,
+   but WITHOUT ANY WARRANTY; without even the implied warranty of
+   MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU
+   Lesser General Public License for more details.
+
+   You should have received a copy of the GNU Lesser General Public
+   License along with the GNU C Library; if not, see
+   <http://www.gnu.org/licenses/>.  */
+
+#ifndef _BITS_STDLIB_CRYPT_H
+#define _BITS_STDLIB_CRYPT_H 1
+
+#ifndef _STDLIB_H
+# error "Never include <bits/stdlib-crypt.h> directly; use <stdlib.h> instead."
+#endif
+
+/* In this configuration, the functions crypt, encrypt, and setkey are
+   available.  */
+#ifdef __USE_XOPEN
+/* Setup DES tables according to KEY.  */
+extern void setkey (const char *__key) __THROW __nonnull ((1));
+#endif
+
+#endif
diff --git a/stdlib/stdlib.h b/stdlib/stdlib.h
index 6b1ead31e0..8a4398ca59 100644
--- a/stdlib/stdlib.h
+++ b/stdlib/stdlib.h
@@ -957,12 +957,9 @@  extern int getsubopt (char **__restrict __optionp,
      __THROW __nonnull ((1, 2, 3)) __wur;
 #endif
 
-
-#ifdef __USE_XOPEN
-/* Setup DES tables according KEY.  */
-extern void setkey (const char *__key) __THROW __nonnull ((1));
-#endif
-
+/* The X/Open Encryption Option Group may or may not be supported in
+   this release of the GNU C Library.  */
+#include <bits/stdlib-crypt.h>
 
 /* X/Open pseudo terminal handling.  */