Source-Changes-HG archive
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index][Old Index]
[pkgsrc/trunk]: pkgsrc/security/mbedtls mbedtls: Add KERN_ARND support.
details: https://anonhg.NetBSD.org/pkgsrc/rev/ec6cee2f6f28
branches: trunk
changeset: 434965:ec6cee2f6f28
user: nia <nia%pkgsrc.org@localhost>
date: Mon Jun 29 12:39:36 2020 +0000
description:
mbedtls: Add KERN_ARND support.
Motivation: the default behaviour of reopening /dev/urandom repeatedly
for every 128 bytes of entropy required is _exceedingly_ slow on NetBSD.
Not helped is using fread(), which assumes a long-lived file and buffers
excessively. This change makes the standard gen_entropy tool run in
milliseconds instead of seconds when it generates 48K of randomness.
Not only that, but sysctl is a lot more robust in e.g. chroots, resource
limited processes, etc.
Risk: On NetBSD, the security properties of the previous and current
behaviour are identical.
Upstreamed: https://github.com/ARMmbed/mbedtls/pull/3423
Bump PKGREVISION.
diffstat:
security/mbedtls/Makefile | 4 +-
security/mbedtls/buildlink3.mk | 4 +-
security/mbedtls/distinfo | 3 +-
security/mbedtls/patches/patch-library_entropy__poll.c | 83 ++++++++++++++++++
4 files changed, 89 insertions(+), 5 deletions(-)
diffs (134 lines):
diff -r a1b5e6ffa3fc -r ec6cee2f6f28 security/mbedtls/Makefile
--- a/security/mbedtls/Makefile Mon Jun 29 12:38:03 2020 +0000
+++ b/security/mbedtls/Makefile Mon Jun 29 12:39:36 2020 +0000
@@ -1,8 +1,8 @@
-# $NetBSD: Makefile,v 1.15 2020/06/11 11:43:50 nia Exp $
+# $NetBSD: Makefile,v 1.16 2020/06/29 12:39:36 nia Exp $
DISTNAME= mbedtls-2.16.6-apache
PKGNAME= ${DISTNAME:-apache=}
-PKGREVISION= 1
+PKGREVISION= 2
CATEGORIES= security devel
MASTER_SITES= https://tls.mbed.org/download/
EXTRACT_SUFX= .tgz
diff -r a1b5e6ffa3fc -r ec6cee2f6f28 security/mbedtls/buildlink3.mk
--- a/security/mbedtls/buildlink3.mk Mon Jun 29 12:38:03 2020 +0000
+++ b/security/mbedtls/buildlink3.mk Mon Jun 29 12:39:36 2020 +0000
@@ -1,4 +1,4 @@
-# $NetBSD: buildlink3.mk,v 1.1 2015/06/12 09:05:05 fhajny Exp $
+# $NetBSD: buildlink3.mk,v 1.2 2020/06/29 12:39:36 nia Exp $
BUILDLINK_TREE+= mbedtls
@@ -11,7 +11,7 @@
pkgbase := mbedtls
.include "../../mk/pkg-build-options.mk"
-.if !empty(PKG_BUILD_OPTIONS.mbedtls:Mzlib)
+.if ${PKG_BUILD_OPTIONS.mbedtls:Mzlib}
.include "../../devel/zlib/buildlink3.mk"
.endif
diff -r a1b5e6ffa3fc -r ec6cee2f6f28 security/mbedtls/distinfo
--- a/security/mbedtls/distinfo Mon Jun 29 12:38:03 2020 +0000
+++ b/security/mbedtls/distinfo Mon Jun 29 12:39:36 2020 +0000
@@ -1,9 +1,10 @@
-$NetBSD: distinfo,v 1.11 2020/06/11 11:43:50 nia Exp $
+$NetBSD: distinfo,v 1.12 2020/06/29 12:39:36 nia Exp $
SHA1 (mbedtls-2.16.6-apache.tgz) = 3cb5b681597a5bd798d31038c129c0dc911d8a2c
RMD160 (mbedtls-2.16.6-apache.tgz) = da5ede944292874afdb24a8fe21c643b34255206
SHA512 (mbedtls-2.16.6-apache.tgz) = a0c48b694d7bc70256d26c44bfb2ac802428560b02e50fe2e47762bc595e2c7b8fac934badb3452acb01d8a54386eafae0ff2894320d24ab7554f1c8e6cb4bcf
Size (mbedtls-2.16.6-apache.tgz) = 2699220 bytes
+SHA1 (patch-library_entropy__poll.c) = 6ab7d7b7e499f0ad9dcbaff274675c03b67f14ec
SHA1 (patch-library_net__sockets.c) = dc1b304432a2837f72035245a3bc8f1cfcaacbd9
SHA1 (patch-programs_aes_aescrypt2.c) = ffce071071ba00c37441973e2305d93a2374c748
SHA1 (patch-programs_aes_crypt__and__hash.c) = 29bd90a0cb2cb4d970c57e57aad6318949479137
diff -r a1b5e6ffa3fc -r ec6cee2f6f28 security/mbedtls/patches/patch-library_entropy__poll.c
--- /dev/null Thu Jan 01 00:00:00 1970 +0000
+++ b/security/mbedtls/patches/patch-library_entropy__poll.c Mon Jun 29 12:39:36 2020 +0000
@@ -0,0 +1,83 @@
+$NetBSD: patch-library_entropy__poll.c,v 1.1 2020/06/29 12:39:36 nia Exp $
+
+Add KERN_ARND support.
+
+Motivation: the default behaviour of reopening /dev/urandom repeatedly
+for every 128 bytes of entropy required is _exceedingly_ slow on NetBSD.
+Not helped is using fread(), which assumes a long-lived file and buffers
+excessively. This change makes the standard gen_entropy tool run in
+milliseconds instead of seconds when it generates 48K of randomness.
+
+Not only that, but sysctl is a lot more robust in e.g. chroots, resource
+limited processes, etc.
+
+Upstreamed: https://github.com/ARMmbed/mbedtls/pull/3423
+
+--- library/entropy_poll.c.orig 2020-04-09 13:12:23.000000000 +0000
++++ library/entropy_poll.c
+@@ -114,6 +114,41 @@ static int getrandom_wrapper( void *buf,
+ #endif /* SYS_getrandom */
+ #endif /* __linux__ */
+
++/*
++ * Some BSD systems provide KERN_ARND.
++ * This is equivalent to reading from /dev/urandom, only it doesn't require an
++ * open file descriptor, and provides up to 256 bytes per call (basically the
++ * same as getentropy(), but with a longer history).
++ *
++ * Documentation: https://netbsd.gw.com/cgi-bin/man-cgi?sysctl+7
++ */
++#if (defined(__FreeBSD__) || defined(__NetBSD__)) && !defined(HAVE_GETRANDOM)
++#include <sys/param.h>
++#include <sys/sysctl.h>
++#if defined(KERN_ARND)
++#define HAVE_SYSCTL_ARND
++
++static int sysctl_arnd_wrapper( unsigned char *buf, size_t buflen )
++{
++ int name[2];
++ size_t len;
++
++ name[0] = CTL_KERN;
++ name[1] = KERN_ARND;
++
++ while( buflen > 0 )
++ {
++ len = buflen > 256 ? 256 : buflen;
++ if( sysctl(name, 2, buf, &len, NULL, 0) == -1 )
++ return( -1 );
++ buflen -= len;
++ buf += len;
++ }
++ return( 0 );
++}
++#endif /* KERN_ARND */
++#endif /* __FreeBSD__ || __NetBSD__ */
++
+ #include <stdio.h>
+
+ int mbedtls_platform_entropy_poll( void *data,
+@@ -138,6 +173,15 @@ int mbedtls_platform_entropy_poll( void
+ ((void) ret);
+ #endif /* HAVE_GETRANDOM */
+
++#if defined(HAVE_SYSCTL_ARND)
++ ((void) file);
++ ((void) read_len);
++ if( sysctl_arnd_wrapper( output, len ) == -1 )
++ return( MBEDTLS_ERR_ENTROPY_SOURCE_FAILED );
++ *olen = len;
++ return( 0 );
++#else
++
+ *olen = 0;
+
+ file = fopen( "/dev/urandom", "rb" );
+@@ -155,6 +199,7 @@ int mbedtls_platform_entropy_poll( void
+ *olen = len;
+
+ return( 0 );
++#endif /* HAVE_SYSCTL_ARND */
+ }
+ #endif /* _WIN32 && !EFIX64 && !EFI32 */
+ #endif /* !MBEDTLS_NO_PLATFORM_ENTROPY */
Home |
Main Index |
Thread Index |
Old Index