Received: by mail.netbsd.org (Postfix, from userid 605) id A104084D84; Mon, 29 Jun 2020 12:39:37 +0000 (UTC) Received: from localhost (localhost [127.0.0.1]) by mail.netbsd.org (Postfix) with ESMTP id 2A6CF84D83 for ; Mon, 29 Jun 2020 12:39:37 +0000 (UTC) X-Virus-Scanned: amavisd-new at netbsd.org Received: from mail.netbsd.org ([127.0.0.1]) by localhost (mail.netbsd.org [127.0.0.1]) (amavisd-new, port 10025) with ESMTP id 01LJr1DGNw2Y for ; Mon, 29 Jun 2020 12:39:36 +0000 (UTC) Received: from cvs.NetBSD.org (ivanova.NetBSD.org [IPv6:2001:470:a085:999:28c:faff:fe03:5984]) by mail.netbsd.org (Postfix) with ESMTP id 6EF1B84CE1 for ; Mon, 29 Jun 2020 12:39:36 +0000 (UTC) Received: by cvs.NetBSD.org (Postfix, from userid 500) id 6676EFB28; Mon, 29 Jun 2020 12:39:36 +0000 (UTC) Content-Transfer-Encoding: 7bit Content-Type: multipart/mixed; boundary="_----------=_1593434376228440" MIME-Version: 1.0 Date: Mon, 29 Jun 2020 12:39:36 +0000 From: "Nia Alarie" Subject: CVS commit: pkgsrc/security/mbedtls To: pkgsrc-changes@NetBSD.org Reply-To: nia@netbsd.org X-Mailer: log_accum Message-Id: <20200629123936.6676EFB28@cvs.NetBSD.org> Sender: pkgsrc-changes-owner@NetBSD.org List-Id: pkgsrc-changes.NetBSD.org Precedence: bulk List-Unsubscribe: This is a multi-part message in MIME format. --_----------=_1593434376228440 Content-Disposition: inline Content-Transfer-Encoding: 8bit Content-Type: text/plain; charset="US-ASCII" Module Name: pkgsrc Committed By: nia Date: Mon Jun 29 12:39:36 UTC 2020 Modified Files: pkgsrc/security/mbedtls: Makefile buildlink3.mk distinfo Added Files: pkgsrc/security/mbedtls/patches: patch-library_entropy__poll.c Log Message: mbedtls: Add KERN_ARND support. Motivation: the default behaviour of reopening /dev/urandom repeatedly for every 128 bytes of entropy required is _exceedingly_ slow on NetBSD. Not helped is using fread(), which assumes a long-lived file and buffers excessively. This change makes the standard gen_entropy tool run in milliseconds instead of seconds when it generates 48K of randomness. Not only that, but sysctl is a lot more robust in e.g. chroots, resource limited processes, etc. Risk: On NetBSD, the security properties of the previous and current behaviour are identical. Upstreamed: https://github.com/ARMmbed/mbedtls/pull/3423 Bump PKGREVISION. To generate a diff of this commit: cvs rdiff -u -r1.15 -r1.16 pkgsrc/security/mbedtls/Makefile cvs rdiff -u -r1.1 -r1.2 pkgsrc/security/mbedtls/buildlink3.mk cvs rdiff -u -r1.11 -r1.12 pkgsrc/security/mbedtls/distinfo cvs rdiff -u -r0 -r1.1 \ pkgsrc/security/mbedtls/patches/patch-library_entropy__poll.c Please note that diffs are not public domain; they are subject to the copyright notices on the relevant files. --_----------=_1593434376228440 Content-Disposition: inline Content-Length: 5275 Content-Transfer-Encoding: binary Content-Type: text/x-diff; charset=us-ascii Modified files: Index: pkgsrc/security/mbedtls/Makefile diff -u pkgsrc/security/mbedtls/Makefile:1.15 pkgsrc/security/mbedtls/Makefile:1.16 --- pkgsrc/security/mbedtls/Makefile:1.15 Thu Jun 11 11:43:50 2020 +++ pkgsrc/security/mbedtls/Makefile Mon Jun 29 12:39:36 2020 @@ -1,8 +1,8 @@ -# $NetBSD: Makefile,v 1.15 2020/06/11 11:43:50 nia Exp $ +# $NetBSD: Makefile,v 1.16 2020/06/29 12:39:36 nia Exp $ DISTNAME= mbedtls-2.16.6-apache PKGNAME= ${DISTNAME:-apache=} -PKGREVISION= 1 +PKGREVISION= 2 CATEGORIES= security devel MASTER_SITES= https://tls.mbed.org/download/ EXTRACT_SUFX= .tgz Index: pkgsrc/security/mbedtls/buildlink3.mk diff -u pkgsrc/security/mbedtls/buildlink3.mk:1.1 pkgsrc/security/mbedtls/buildlink3.mk:1.2 --- pkgsrc/security/mbedtls/buildlink3.mk:1.1 Fri Jun 12 09:05:05 2015 +++ pkgsrc/security/mbedtls/buildlink3.mk Mon Jun 29 12:39:36 2020 @@ -1,4 +1,4 @@ -# $NetBSD: buildlink3.mk,v 1.1 2015/06/12 09:05:05 fhajny Exp $ +# $NetBSD: buildlink3.mk,v 1.2 2020/06/29 12:39:36 nia Exp $ BUILDLINK_TREE+= mbedtls @@ -11,7 +11,7 @@ BUILDLINK_PKGSRCDIR.mbedtls?= ../../secu pkgbase := mbedtls .include "../../mk/pkg-build-options.mk" -.if !empty(PKG_BUILD_OPTIONS.mbedtls:Mzlib) +.if ${PKG_BUILD_OPTIONS.mbedtls:Mzlib} .include "../../devel/zlib/buildlink3.mk" .endif Index: pkgsrc/security/mbedtls/distinfo diff -u pkgsrc/security/mbedtls/distinfo:1.11 pkgsrc/security/mbedtls/distinfo:1.12 --- pkgsrc/security/mbedtls/distinfo:1.11 Thu Jun 11 11:43:50 2020 +++ pkgsrc/security/mbedtls/distinfo Mon Jun 29 12:39:36 2020 @@ -1,9 +1,10 @@ -$NetBSD: distinfo,v 1.11 2020/06/11 11:43:50 nia Exp $ +$NetBSD: distinfo,v 1.12 2020/06/29 12:39:36 nia Exp $ SHA1 (mbedtls-2.16.6-apache.tgz) = 3cb5b681597a5bd798d31038c129c0dc911d8a2c RMD160 (mbedtls-2.16.6-apache.tgz) = da5ede944292874afdb24a8fe21c643b34255206 SHA512 (mbedtls-2.16.6-apache.tgz) = a0c48b694d7bc70256d26c44bfb2ac802428560b02e50fe2e47762bc595e2c7b8fac934badb3452acb01d8a54386eafae0ff2894320d24ab7554f1c8e6cb4bcf Size (mbedtls-2.16.6-apache.tgz) = 2699220 bytes +SHA1 (patch-library_entropy__poll.c) = 6ab7d7b7e499f0ad9dcbaff274675c03b67f14ec SHA1 (patch-library_net__sockets.c) = dc1b304432a2837f72035245a3bc8f1cfcaacbd9 SHA1 (patch-programs_aes_aescrypt2.c) = ffce071071ba00c37441973e2305d93a2374c748 SHA1 (patch-programs_aes_crypt__and__hash.c) = 29bd90a0cb2cb4d970c57e57aad6318949479137 Added files: Index: pkgsrc/security/mbedtls/patches/patch-library_entropy__poll.c diff -u /dev/null pkgsrc/security/mbedtls/patches/patch-library_entropy__poll.c:1.1 --- /dev/null Mon Jun 29 12:39:36 2020 +++ pkgsrc/security/mbedtls/patches/patch-library_entropy__poll.c Mon Jun 29 12:39:36 2020 @@ -0,0 +1,83 @@ +$NetBSD: patch-library_entropy__poll.c,v 1.1 2020/06/29 12:39:36 nia Exp $ + +Add KERN_ARND support. + +Motivation: the default behaviour of reopening /dev/urandom repeatedly +for every 128 bytes of entropy required is _exceedingly_ slow on NetBSD. +Not helped is using fread(), which assumes a long-lived file and buffers +excessively. This change makes the standard gen_entropy tool run in +milliseconds instead of seconds when it generates 48K of randomness. + +Not only that, but sysctl is a lot more robust in e.g. chroots, resource +limited processes, etc. + +Upstreamed: https://github.com/ARMmbed/mbedtls/pull/3423 + +--- library/entropy_poll.c.orig 2020-04-09 13:12:23.000000000 +0000 ++++ library/entropy_poll.c +@@ -114,6 +114,41 @@ static int getrandom_wrapper( void *buf, + #endif /* SYS_getrandom */ + #endif /* __linux__ */ + ++/* ++ * Some BSD systems provide KERN_ARND. ++ * This is equivalent to reading from /dev/urandom, only it doesn't require an ++ * open file descriptor, and provides up to 256 bytes per call (basically the ++ * same as getentropy(), but with a longer history). ++ * ++ * Documentation: https://netbsd.gw.com/cgi-bin/man-cgi?sysctl+7 ++ */ ++#if (defined(__FreeBSD__) || defined(__NetBSD__)) && !defined(HAVE_GETRANDOM) ++#include ++#include ++#if defined(KERN_ARND) ++#define HAVE_SYSCTL_ARND ++ ++static int sysctl_arnd_wrapper( unsigned char *buf, size_t buflen ) ++{ ++ int name[2]; ++ size_t len; ++ ++ name[0] = CTL_KERN; ++ name[1] = KERN_ARND; ++ ++ while( buflen > 0 ) ++ { ++ len = buflen > 256 ? 256 : buflen; ++ if( sysctl(name, 2, buf, &len, NULL, 0) == -1 ) ++ return( -1 ); ++ buflen -= len; ++ buf += len; ++ } ++ return( 0 ); ++} ++#endif /* KERN_ARND */ ++#endif /* __FreeBSD__ || __NetBSD__ */ ++ + #include + + int mbedtls_platform_entropy_poll( void *data, +@@ -138,6 +173,15 @@ int mbedtls_platform_entropy_poll( void + ((void) ret); + #endif /* HAVE_GETRANDOM */ + ++#if defined(HAVE_SYSCTL_ARND) ++ ((void) file); ++ ((void) read_len); ++ if( sysctl_arnd_wrapper( output, len ) == -1 ) ++ return( MBEDTLS_ERR_ENTROPY_SOURCE_FAILED ); ++ *olen = len; ++ return( 0 ); ++#else ++ + *olen = 0; + + file = fopen( "/dev/urandom", "rb" ); +@@ -155,6 +199,7 @@ int mbedtls_platform_entropy_poll( void + *olen = len; + + return( 0 ); ++#endif /* HAVE_SYSCTL_ARND */ + } + #endif /* _WIN32 && !EFIX64 && !EFI32 */ + #endif /* !MBEDTLS_NO_PLATFORM_ENTROPY */ --_----------=_1593434376228440--