CVS commit: pkgsrc/security/mbedtls

To: pkgsrc-changes%NetBSD.org@localhost
Subject: CVS commit: pkgsrc/security/mbedtls
From: "Nia Alarie" <nia%netbsd.org@localhost>
Date: Mon, 29 Jun 2020 12:39:36 +0000

Module Name:    pkgsrc
Committed By:   nia
Date:           Mon Jun 29 12:39:36 UTC 2020

Modified Files:
        pkgsrc/security/mbedtls: Makefile buildlink3.mk distinfo
Added Files:
        pkgsrc/security/mbedtls/patches: patch-library_entropy__poll.c

Log Message:
mbedtls: Add KERN_ARND support.

Motivation: the default behaviour of reopening /dev/urandom repeatedly
for every 128 bytes of entropy required is _exceedingly_ slow on NetBSD.
Not helped is using fread(), which assumes a long-lived file and buffers
excessively. This change makes the standard gen_entropy tool run in
milliseconds instead of seconds when it generates 48K of randomness.

Not only that, but sysctl is a lot more robust in e.g. chroots, resource
limited processes, etc.

Risk: On NetBSD, the security properties of the previous and current
behaviour are identical.

Upstreamed: https://github.com/ARMmbed/mbedtls/pull/3423

Bump PKGREVISION.


To generate a diff of this commit:
cvs rdiff -u -r1.15 -r1.16 pkgsrc/security/mbedtls/Makefile
cvs rdiff -u -r1.1 -r1.2 pkgsrc/security/mbedtls/buildlink3.mk
cvs rdiff -u -r1.11 -r1.12 pkgsrc/security/mbedtls/distinfo
cvs rdiff -u -r0 -r1.1 \
    pkgsrc/security/mbedtls/patches/patch-library_entropy__poll.c

Please note that diffs are not public domain; they are subject to the
copyright notices on the relevant files.

Modified files:

Index: pkgsrc/security/mbedtls/Makefile
diff -u pkgsrc/security/mbedtls/Makefile:1.15 pkgsrc/security/mbedtls/Makefile:1.16
--- pkgsrc/security/mbedtls/Makefile:1.15       Thu Jun 11 11:43:50 2020
+++ pkgsrc/security/mbedtls/Makefile    Mon Jun 29 12:39:36 2020
@@ -1,8 +1,8 @@
-# $NetBSD: Makefile,v 1.15 2020/06/11 11:43:50 nia Exp $
+# $NetBSD: Makefile,v 1.16 2020/06/29 12:39:36 nia Exp $
 
 DISTNAME=      mbedtls-2.16.6-apache
 PKGNAME=       ${DISTNAME:-apache=}
-PKGREVISION=   1
+PKGREVISION=   2
 CATEGORIES=    security devel
 MASTER_SITES=  https://tls.mbed.org/download/
 EXTRACT_SUFX=  .tgz

Index: pkgsrc/security/mbedtls/buildlink3.mk
diff -u pkgsrc/security/mbedtls/buildlink3.mk:1.1 pkgsrc/security/mbedtls/buildlink3.mk:1.2
--- pkgsrc/security/mbedtls/buildlink3.mk:1.1   Fri Jun 12 09:05:05 2015
+++ pkgsrc/security/mbedtls/buildlink3.mk       Mon Jun 29 12:39:36 2020
@@ -1,4 +1,4 @@
-# $NetBSD: buildlink3.mk,v 1.1 2015/06/12 09:05:05 fhajny Exp $
+# $NetBSD: buildlink3.mk,v 1.2 2020/06/29 12:39:36 nia Exp $
 
 BUILDLINK_TREE+=       mbedtls
 
@@ -11,7 +11,7 @@ BUILDLINK_PKGSRCDIR.mbedtls?= ../../secu
 pkgbase := mbedtls
 .include "../../mk/pkg-build-options.mk"
 
-.if !empty(PKG_BUILD_OPTIONS.mbedtls:Mzlib)
+.if ${PKG_BUILD_OPTIONS.mbedtls:Mzlib}
 .include "../../devel/zlib/buildlink3.mk"
 .endif
 

Index: pkgsrc/security/mbedtls/distinfo
diff -u pkgsrc/security/mbedtls/distinfo:1.11 pkgsrc/security/mbedtls/distinfo:1.12
--- pkgsrc/security/mbedtls/distinfo:1.11       Thu Jun 11 11:43:50 2020
+++ pkgsrc/security/mbedtls/distinfo    Mon Jun 29 12:39:36 2020
@@ -1,9 +1,10 @@
-$NetBSD: distinfo,v 1.11 2020/06/11 11:43:50 nia Exp $
+$NetBSD: distinfo,v 1.12 2020/06/29 12:39:36 nia Exp $
 
 SHA1 (mbedtls-2.16.6-apache.tgz) = 3cb5b681597a5bd798d31038c129c0dc911d8a2c
 RMD160 (mbedtls-2.16.6-apache.tgz) = da5ede944292874afdb24a8fe21c643b34255206
 SHA512 (mbedtls-2.16.6-apache.tgz) = a0c48b694d7bc70256d26c44bfb2ac802428560b02e50fe2e47762bc595e2c7b8fac934badb3452acb01d8a54386eafae0ff2894320d24ab7554f1c8e6cb4bcf
 Size (mbedtls-2.16.6-apache.tgz) = 2699220 bytes
+SHA1 (patch-library_entropy__poll.c) = 6ab7d7b7e499f0ad9dcbaff274675c03b67f14ec
 SHA1 (patch-library_net__sockets.c) = dc1b304432a2837f72035245a3bc8f1cfcaacbd9
 SHA1 (patch-programs_aes_aescrypt2.c) = ffce071071ba00c37441973e2305d93a2374c748
 SHA1 (patch-programs_aes_crypt__and__hash.c) = 29bd90a0cb2cb4d970c57e57aad6318949479137

Added files:

Index: pkgsrc/security/mbedtls/patches/patch-library_entropy__poll.c
diff -u /dev/null pkgsrc/security/mbedtls/patches/patch-library_entropy__poll.c:1.1
--- /dev/null   Mon Jun 29 12:39:36 2020
+++ pkgsrc/security/mbedtls/patches/patch-library_entropy__poll.c       Mon Jun 29 12:39:36 2020
@@ -0,0 +1,83 @@
+$NetBSD: patch-library_entropy__poll.c,v 1.1 2020/06/29 12:39:36 nia Exp $
+
+Add KERN_ARND support.
+
+Motivation: the default behaviour of reopening /dev/urandom repeatedly
+for every 128 bytes of entropy required is _exceedingly_ slow on NetBSD.
+Not helped is using fread(), which assumes a long-lived file and buffers
+excessively. This change makes the standard gen_entropy tool run in
+milliseconds instead of seconds when it generates 48K of randomness.
+
+Not only that, but sysctl is a lot more robust in e.g. chroots, resource
+limited processes, etc.
+
+Upstreamed: https://github.com/ARMmbed/mbedtls/pull/3423
+
+--- library/entropy_poll.c.orig        2020-04-09 13:12:23.000000000 +0000
++++ library/entropy_poll.c
+@@ -114,6 +114,41 @@ static int getrandom_wrapper( void *buf,
+ #endif /* SYS_getrandom */
+ #endif /* __linux__ */
+ 
++/*
++ * Some BSD systems provide KERN_ARND.
++ * This is equivalent to reading from /dev/urandom, only it doesn't require an
++ * open file descriptor, and provides up to 256 bytes per call (basically the
++ * same as getentropy(), but with a longer history).
++ *
++ * Documentation: https://netbsd.gw.com/cgi-bin/man-cgi?sysctl+7
++ */
++#if (defined(__FreeBSD__) || defined(__NetBSD__)) && !defined(HAVE_GETRANDOM)
++#include <sys/param.h>
++#include <sys/sysctl.h>
++#if defined(KERN_ARND)
++#define HAVE_SYSCTL_ARND
++
++static int sysctl_arnd_wrapper( unsigned char *buf, size_t buflen )
++{
++    int name[2];
++    size_t len;
++
++    name[0] = CTL_KERN;
++    name[1] = KERN_ARND;
++
++    while( buflen > 0 )
++    {
++        len = buflen > 256 ? 256 : buflen;
++        if( sysctl(name, 2, buf, &len, NULL, 0) == -1 )
++            return( -1 );
++        buflen -= len;
++        buf += len;
++    }
++    return( 0 );
++}
++#endif /* KERN_ARND */
++#endif /* __FreeBSD__ || __NetBSD__ */
++
+ #include <stdio.h>
+ 
+ int mbedtls_platform_entropy_poll( void *data,
+@@ -138,6 +173,15 @@ int mbedtls_platform_entropy_poll( void 
+     ((void) ret);
+ #endif /* HAVE_GETRANDOM */
+ 
++#if defined(HAVE_SYSCTL_ARND)
++    ((void) file);
++    ((void) read_len);
++    if( sysctl_arnd_wrapper( output, len ) == -1 )
++        return( MBEDTLS_ERR_ENTROPY_SOURCE_FAILED );
++    *olen = len;
++    return( 0 );
++#else
++
+     *olen = 0;
+ 
+     file = fopen( "/dev/urandom", "rb" );
+@@ -155,6 +199,7 @@ int mbedtls_platform_entropy_poll( void 
+     *olen = len;
+ 
+     return( 0 );
++#endif /* HAVE_SYSCTL_ARND */
+ }
+ #endif /* _WIN32 && !EFIX64 && !EFI32 */
+ #endif /* !MBEDTLS_NO_PLATFORM_ENTROPY */

Prev by Date: CVS commit: pkgsrc/bootstrap
Next by Date: CVS commit: pkgsrc/devel/apache-maven
Previous by Thread: CVS commit: pkgsrc/bootstrap
Next by Thread: CVS commit: pkgsrc/devel/apache-maven
Indexes:

Home | Main Index | Thread Index | Old Index