Re: Bug#811315: getdns: FTBFS[kfreebsd]: needs getentropy implementation

2016-06-08 Thread Guillem Jover 
Control: forwarded -1 https://github.com/getdnsapi/getdns/pull/182

On Mon, 2016-01-18 at 13:59:00 +, Steven Chamberlain wrote:
> Guillem Jover wrote:
> > Steven Chamberlain wrote:
> > > getdns FTBFS on kfreebsd because it lacks a getentropy implementation
> > > for the FreeBSD kernel.  But there is one already in LibreSSL Portable
> > > we can use, and works fine here.
> > 
> > BTW, libbsd has also a getentropy(3) implementation (lifted too from
> > LibreSSL), which is currently not exposed but if people want to use it
> > I could make it public, instead of embedding this in all sorts of
> > places. The difference being that libbsd is already in Debian, while
> > LibreSSL is not.
> > 
> >   

> I think the only use case for getentropy is arc4random, so perhaps don't
> export getentropy(3), but lets try to standardise on one implementation
> of arc4random (in libbsd?) and try to get more people using that?
> 
> It would be nice to have the kernel-specific parts (getentropy) confined
> to libbsd, and that may become even more important if applications start
> sandboxing (e.g. can't read /dev/urandom any more, have to use sysctls).
> Or if getrandom(2) becomes standard, we'd only need to implement it in
> one place (as a supplement / eventual replacement to getentropy(3)).

Sure, I've now implemented this and sent a pull request to upstream,
plus the required packaging bits, attached here both for convenience.

Thanks,
Guillem
diff --git i/debian/control w/debian/control
index 8b27205..ffa1c40 100644
--- i/debian/control
+++ w/debian/control
@@ -8,6 +8,7 @@ Build-Depends: autotools-dev,
check,
debhelper (>= 9),
dh-autoreconf,
+   libbsd-dev,
libev-dev,
libevent-dev,
libexpat-dev,
From 1fb763761b90c3269d818a736a6c81469b89629d Mon Sep 17 00:00:00 2001
From: Guillem Jover 
Date: Thu, 9 Jun 2016 01:55:07 +0200
Subject: [PATCH] Use libbsd when available

Use the libbsd (https://libbsd.freedesktop.org/) overlay to transparently
use the bsd compatibility layer without needing any actual code changes.

Remove now unnecessary direct access to libbsd includes. And remove
checks for unused functions.
---
 configure.ac | 16 ++--
 1 file changed, 10 insertions(+), 6 deletions(-)

diff --git a/configure.ac b/configure.ac
index a471327..0807f01 100644
--- a/configure.ac
+++ b/configure.ac
@@ -238,7 +238,7 @@ if grep VERSION_TEXT $ssldir/include/openssl/opensslv.h | grep "LibreSSL" >/dev/
 	AC_DEFINE([HAVE_LIBRESSL], [1], [Define if we have LibreSSL])
 	# libressl provides these compat functions, but they may also be
 	# declared by the OS in libc.  See if they have been declared.
-	AC_CHECK_DECLS([strlcpy,strlcat,arc4random,arc4random_uniform,reallocarray])
+	AC_CHECK_DECLS([strlcpy,arc4random,arc4random_uniform])
 else
 	AC_MSG_RESULT([no])
 fi
@@ -928,7 +928,7 @@ dnl - Start of "Things needed for gldns" section
 dnl -
 dnl ---
 
-AC_CHECK_HEADERS([stdarg.h stdint.h netinet/in.h arpa/inet.h netdb.h sys/socket.h time.h sys/time.h bsd/string.h sys/select.h],,, [AC_INCLUDES_DEFAULT])
+AC_CHECK_HEADERS([stdarg.h stdint.h netinet/in.h arpa/inet.h netdb.h sys/socket.h time.h sys/time.h sys/select.h],,, [AC_INCLUDES_DEFAULT])
 
 dnl Check the printf-format attribute (if any)
 dnl result in HAVE_ATTR_FORMAT.  
@@ -967,6 +967,14 @@ AC_MSG_RESULT($ac_cv_c_unused_attribute)
 if test $ac_cv_c_unused_attribute = yes; then
   AC_DEFINE(HAVE_ATTR_UNUSED, 1, [Whether the C compiler accepts the "unused" attribute])
 fi
+# Check for libbsd, so that the next function checks pick it as their
+# system implementation.
+PKG_CHECK_MODULES([LIBBSD],[libbsd-overlay],[
+LIBS="$LIBS $LIBBSD_LIBS"
+CFLAGS="$CFLAGS $LIBBSD_CFLAGS"
+],[
+AC_MSG_WARN([libbsd not found or usable; using embedded code instead])
+])
 AC_CHECK_DECLS([strlcpy,arc4random,arc4random_uniform])
 AC_REPLACE_FUNCS(inet_pton)
 AC_REPLACE_FUNCS(inet_ntop)
@@ -1050,10 +1058,6 @@ AH_BOTTOM([
 #include 
 #include 
 
-#ifdef HAVE_BSD_STRING_H
-#include 
-#endif
-
 /* the version of the windows API enabled */
 #ifndef WINVER
 #define WINVER 0x0600 // 0x0502
-- 
2.8.1

Re: Bug#811315: getdns: FTBFS[kfreebsd]: needs getentropy implementation

2016-01-18 Thread Steven Chamberlain 
Hi Guillem,

Guillem Jover wrote:
> Steven Chamberlain wrote:
> > getdns FTBFS on kfreebsd because it lacks a getentropy implementation
> > for the FreeBSD kernel.  But there is one already in LibreSSL Portable
> > we can use, and works fine here.
> 
> BTW, libbsd has also a getentropy(3) implementation (lifted too from
> LibreSSL), which is currently not exposed but if people want to use it
> I could make it public, instead of embedding this in all sorts of
> places. The difference being that libbsd is already in Debian, while
> LibreSSL is not.
> 
>   

I'm really glad you asked about this.  The number of projects embedding
arc4random implementations, copied from OpenBSD or OpenSSH/LibreSSL
Portable has me worried.  I wanted to raise this with the security team,
I may follow up on debian-devel shortly.

I think the only use case for getentropy is arc4random, so perhaps don't
export getentropy(3), but lets try to standardise on one implementation
of arc4random (in libbsd?) and try to get more people using that?

It would be nice to have the kernel-specific parts (getentropy) confined
to libbsd, and that may become even more important if applications start
sandboxing (e.g. can't read /dev/urandom any more, have to use sysctls).
Or if getrandom(2) becomes standard, we'd only need to implement it in
one place (as a supplement / eventual replacement to getentropy(3)).

Regards,
-- 
Steven Chamberlain
ste...@pyro.eu.org


signature.asc
Description: Digital signature

Re: Bug#811315: getdns: FTBFS[kfreebsd]: needs getentropy implementation

2016-01-18 Thread Guillem Jover 
Hi!

On Sun, 2016-01-17 at 21:42:03 +, Steven Chamberlain wrote:
> Package: getdns
> Version: 0.9.0-1
> Severity: normal
> Tags: patch

> getdns FTBFS on kfreebsd because it lacks a getentropy implementation
> for the FreeBSD kernel.  But there is one already in LibreSSL Portable
> we can use, and works fine here.

BTW, libbsd has also a getentropy(3) implementation (lifted too from
LibreSSL), which is currently not exposed but if people want to use it
I could make it public, instead of embedding this in all sorts of
places. The difference being that libbsd is already in Debian, while
LibreSSL is not.

  

Thanks,
Guillem

Bug#811315: getdns: FTBFS[kfreebsd]: needs getentropy implementation

2016-01-17 Thread Steven Chamberlain 
Package: getdns
Version: 0.9.0-1
Severity: normal
Tags: patch

Hi,

getdns FTBFS on kfreebsd because it lacks a getentropy implementation
for the FreeBSD kernel.  But there is one already in LibreSSL Portable
we can use, and works fine here.

Please find patch attached.  Thanks!

-- System Information:
Debian Release: stretch/sid
  APT prefers unstable
  APT policy: (500, 'unstable'), (1, 'experimental')
Architecture: kfreebsd-amd64 (x86_64)

Kernel: kFreeBSD 10.1-0-amd64
Locale: LANG=en_GB.UTF-8, LC_CTYPE=en_GB.UTF-8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/dash
From: Steven Chamberlain 
Date: Sun, 17 Jan 2016 21:25:04 +
Subject: Add GNU/kFreeBSD support

Import getentropy_freebsd.c from LibreSSL Portable, an implementation of
getentropy(2) that uses FreeBSD's kern.random sysctl.

Add support for GNU/kFreeBSD by matching *FreeBSD in configure.ac
and building getentropy_freebsd in that case.  This hasn't been
tested yet on regular FreeBSD, which may require extra libs.

--- a/configure.ac
+++ b/configure.ac
@@ -988,6 +988,10 @@
 			fi
 			AC_SEARCH_LIBS([clock_gettime], [rt])
 		;;
+		*FreeBSD)
+			AC_LIBOBJ(getentropy_freebsd)
+			AC_CHECK_HEADERS([sys/sysctl.h],,, [AC_INCLUDES_DEFAULT])
+		;;
 		Linux|*)
 			AC_LIBOBJ(getentropy_linux)
 			dnl AC_CHECK_FUNCS([SHA512_Update],,[
--- /dev/null
+++ b/src/compat/getentropy_freebsd.c
@@ -0,0 +1,62 @@
+/*	$OpenBSD: getentropy_freebsd.c,v 1.1 2014/11/03 06:23:30 bcook Exp $	*/
+
+/*
+ * Copyright (c) 2014 Pawel Jakub Dawidek 
+ * Copyright (c) 2014 Brent Cook 
+ *
+ * Permission to use, copy, modify, and distribute this software for any
+ * purpose with or without fee is hereby granted, provided that the above
+ * copyright notice and this permission notice appear in all copies.
+ *
+ * THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES
+ * WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF
+ * MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR
+ * ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES
+ * WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN
+ * ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF
+ * OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
+ *
+ * Emulation of getentropy(2) as documented at:
+ * http://www.openbsd.org/cgi-bin/man.cgi/OpenBSD-current/man2/getentropy.2
+ */
+
+#include 
+#include 
+
+#include 
+#include 
+
+/*
+ * Derived from lib/libc/gen/arc4random.c from FreeBSD.
+ */
+static size_t
+getentropy_sysctl(u_char *buf, size_t size)
+{
+	int mib[2];
+	size_t len, done;
+
+	mib[0] = CTL_KERN;
+	mib[1] = KERN_ARND;
+	done = 0;
+
+	do {
+		len = size;
+		if (sysctl(mib, 2, buf, , NULL, 0) == -1)
+			return (done);
+		done += len;
+		buf += len;
+		size -= len;
+	} while (size > 0);
+
+	return (done);
+}
+
+int
+getentropy(void *buf, size_t len)
+{
+	if (len <= 256 && getentropy_sysctl(buf, len) == len)
+		return (0);
+
+	errno = EIO;
+	return (-1);
+}