Skip to content

Instantly share code, notes, and snippets.

@xentec

xentec/0001-main-libasr-replace-res_randomid-impl.-with-call-to-.patch

Created February 11, 2017 15:21
Show Gist options
  • Save xentec/1a232a32d18d9b9e32f9bfd700b64498 to your computer and use it in GitHub Desktop.
Save xentec/1a232a32d18d9b9e32f9bfd700b64498 to your computer and use it in GitHub Desktop.
Download ZIP
ALPINE: opensmtpd fix
Raw
0001-main-libasr-replace-res_randomid-impl.-with-call-to-.patch
From c728af08c9321f1a0618674e462adc8e96327370 Mon Sep 17 00:00:00 2001
From: xentec <[email protected]>
Date: Sat, 11 Feb 2017 15:00:43 +0000
Subject: [PATCH 1/2] main/libasr: replace res_randomid() impl. with call to
arc4random() from libcrypto
Fixes recursive call loop which causes a stack overflow in opensmtpd.
---
main/libasr/00-use-openbsd-res_randomid.patch | 953 ---------------------
main/libasr/0001-Fix-NETDB_SUCCESS-value.patch | 25 +
...sing-res_randomid-with-the-more-secure-ar.patch | 66 ++
.../0003-no-need-for-openssl-in-libasr.patch | 25 +
main/libasr/APKBUILD | 46 +-
5 files changed, 139 insertions(+), 976 deletions(-)
delete mode 100644 main/libasr/00-use-openbsd-res_randomid.patch
create mode 100644 main/libasr/0001-Fix-NETDB_SUCCESS-value.patch
create mode 100644 main/libasr/0002-Replace-missing-res_randomid-with-the-more-secure-ar.patch
create mode 100644 main/libasr/0003-no-need-for-openssl-in-libasr.patch
diff --git a/main/libasr/00-use-openbsd-res_randomid.patch b/main/libasr/00-use-openbsd-res_randomid.patch
deleted file mode 100644
index 4fb97828e6..0000000000
--- a/main/libasr/00-use-openbsd-res_randomid.patch
+++ /dev/null
@@ -1,953 +0,0 @@
-diff --git a/configure.ac b/configure.ac
-index 10aff04..ec6fadf 100644
---- a/configure.ac
-+++ b/configure.ac
-@@ -41,7 +41,7 @@ AC_PATH_PROG([NROFF], [nroff])
- AC_PATH_PROG([MANDOC], [mandoc])
- AC_PROG_YACC
-
--AM_INIT_AUTOMAKE
-+AM_INIT_AUTOMAKE([subdir-objects no-dependencies])
-
- LT_INIT
-
-@@ -442,6 +442,10 @@ fi
- #l1572 (customized)
- dnl Checks for library functions. Please keep in alphabetical order
- AC_CHECK_FUNCS([ \
-+ arc4random \
-+ arc4random_buf \
-+ arc4random_stir \
-+ arc4random_uniform \
- asprintf \
- bcopy \
- explicit_bzero \
-@@ -465,6 +469,13 @@ AC_CHECK_FUNCS([ \
- vasprintf \
- vsnprintf \
- ])
-+
-+AC_CHECK_FUNC([res_randomid],
-+ [AC_DEFINE([HAVE_RES_RANDOMID], [1], [Define if res_randomid exists])])
-+AM_CONDITIONAL([USE_OPENBSD_RES_RANDOM], [test "x$HAVE_RES_RANDOMID" = "x" ])
-+AM_COND_IF([USE_OPENBSD_RES_RANDOM],
-+ [AC_CHECK_LIB([crypto], [RAND_bytes], [], [AC_MSG_ERROR([libcrypto not found])])])
-+
- #l1685
-
- #l1715
-diff --git a/openbsd-compat/NOTES b/openbsd-compat/NOTES
-index baa60ec..0eb0710 100644
---- a/openbsd-compat/NOTES
-+++ b/openbsd-compat/NOTES
-@@ -1,10 +1,12 @@
- List of files and where they come from
-
-+arc4random.c portable openssh
- clock_gettime.c handmade
- defines.h portable openssh
- fgetln.c part of /usr/src/usr.bin/make/util.c
- includes.h portable openssh
- openbsd-compat.h portable openssh
-+res_random.c src/lib/libc/net/res_random.c
- strlcat.c portable openssh
- strlcpy.c portable openssh
- strtonum.c portable openssh
-diff --git a/openbsd-compat/arc4random.c b/openbsd-compat/arc4random.c
-new file mode 100644
-index 0000000..ca4434d
---- /dev/null
-+++ b/openbsd-compat/arc4random.c
-@@ -0,0 +1,296 @@
-+/* OPENBSD ORIGINAL: lib/libc/crypto/arc4random.c */
-+
-+/* $OpenBSD: arc4random.c,v 1.25 2013/10/01 18:34:57 markus Exp $ */
-+
-+/*
-+ * Copyright (c) 1996, David Mazieres <[email protected]>
-+ * Copyright (c) 2008, Damien Miller <[email protected]>
-+ * Copyright (c) 2013, Markus Friedl <[email protected]>
-+ *
-+ * Permission to use, copy, modify, and distribute this software for any
-+ * purpose with or without fee is hereby granted, provided that the above
-+ * copyright notice and this permission notice appear in all copies.
-+ *
-+ * THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES
-+ * WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF
-+ * MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR
-+ * ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES
-+ * WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN
-+ * ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF
-+ * OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
-+ */
-+
-+/*
-+ * ChaCha based random number generator for OpenBSD.
-+ */
-+
-+#include "includes.h"
-+
-+#include <stdio.h>
-+#include <stdlib.h>
-+#include <string.h>
-+#include <unistd.h>
-+#include <sys/types.h>
-+
-+#ifndef HAVE_ARC4RANDOM
-+
-+#include <openssl/rand.h>
-+#include <openssl/err.h>
-+
-+#define KEYSTREAM_ONLY
-+#include "chacha_private.h"
-+
-+#ifdef __GNUC__
-+#define inline __inline
-+#else /* !__GNUC__ */
-+#define inline
-+#endif /* !__GNUC__ */
-+
-+/* OpenSSH isn't multithreaded */
-+#define _ARC4_LOCK()
-+#define _ARC4_UNLOCK()
-+
-+#define KEYSZ 32
-+#define IVSZ 8
-+#define BLOCKSZ 64
-+#define RSBUFSZ (16*BLOCKSZ)
-+static int rs_initialized;
-+static pid_t rs_stir_pid;
-+static chacha_ctx rs; /* chacha context for random keystream */
-+static u_char rs_buf[RSBUFSZ]; /* keystream blocks */
-+static size_t rs_have; /* valid bytes at end of rs_buf */
-+static size_t rs_count; /* bytes till reseed */
-+
-+static inline void _rs_rekey(u_char *dat, size_t datlen);
-+
-+static inline void
-+_rs_init(u_char *buf, size_t n)
-+{
-+ if (n < KEYSZ + IVSZ)
-+ return;
-+ chacha_keysetup(&rs, buf, KEYSZ * 8, 0);
-+ chacha_ivsetup(&rs, buf + KEYSZ);
-+}
-+
-+static void
-+_rs_stir(void)
-+{
-+ u_char rnd[KEYSZ + IVSZ];
-+
-+ if (RAND_bytes(rnd, sizeof(rnd)) <= 0) {
-+ fprintf(stderr,
-+ "libasr: Couldn't obtain random bytes (error %ld)",
-+ ERR_get_error());
-+ exit(1);
-+ }
-+
-+ if (!rs_initialized) {
-+ rs_initialized = 1;
-+ _rs_init(rnd, sizeof(rnd));
-+ } else
-+ _rs_rekey(rnd, sizeof(rnd));
-+ memset(rnd, 0, sizeof(rnd));
-+
-+ /* invalidate rs_buf */
-+ rs_have = 0;
-+ memset(rs_buf, 0, RSBUFSZ);
-+
-+ rs_count = 1600000;
-+}
-+
-+static inline void
-+_rs_stir_if_needed(size_t len)
-+{
-+ pid_t pid = getpid();
-+
-+ if (rs_count <= len || !rs_initialized || rs_stir_pid != pid) {
-+ rs_stir_pid = pid;
-+ _rs_stir();
-+ } else
-+ rs_count -= len;
-+}
-+
-+static inline void
-+_rs_rekey(u_char *dat, size_t datlen)
-+{
-+#ifndef KEYSTREAM_ONLY
-+ memset(rs_buf, 0,RSBUFSZ);
-+#endif
-+ /* fill rs_buf with the keystream */
-+ chacha_encrypt_bytes(&rs, rs_buf, rs_buf, RSBUFSZ);
-+ /* mix in optional user provided data */
-+ if (dat) {
-+ size_t i, m;
-+
-+ m = MIN(datlen, KEYSZ + IVSZ);
-+ for (i = 0; i < m; i++)
-+ rs_buf[i] ^= dat[i];
-+ }
-+ /* immediately reinit for backtracking resistance */
-+ _rs_init(rs_buf, KEYSZ + IVSZ);
-+ memset(rs_buf, 0, KEYSZ + IVSZ);
-+ rs_have = RSBUFSZ - KEYSZ - IVSZ;
-+}
-+
-+static inline void
-+_rs_random_buf(void *_buf, size_t n)
-+{
-+ u_char *buf = (u_char *)_buf;
-+ size_t m;
-+
-+ _rs_stir_if_needed(n);
-+ while (n > 0) {
-+ if (rs_have > 0) {
-+ m = MIN(n, rs_have);
-+ memcpy(buf, rs_buf + RSBUFSZ - rs_have, m);
-+ memset(rs_buf + RSBUFSZ - rs_have, 0, m);
-+ buf += m;
-+ n -= m;
-+ rs_have -= m;
-+ }
-+ if (rs_have == 0)
-+ _rs_rekey(NULL, 0);
-+ }
-+}
-+
-+static inline void
-+_rs_random_u32(u_int32_t *val)
-+{
-+ _rs_stir_if_needed(sizeof(*val));
-+ if (rs_have < sizeof(*val))
-+ _rs_rekey(NULL, 0);
-+ memcpy(val, rs_buf + RSBUFSZ - rs_have, sizeof(*val));
-+ memset(rs_buf + RSBUFSZ - rs_have, 0, sizeof(*val));
-+ rs_have -= sizeof(*val);
-+ return;
-+}
-+
-+void
-+arc4random_stir(void)
-+{
-+ _ARC4_LOCK();
-+ _rs_stir();
-+ _ARC4_UNLOCK();
-+}
-+
-+void
-+arc4random_addrandom(u_char *dat, int datlen)
-+{
-+ int m;
-+
-+ _ARC4_LOCK();
-+ if (!rs_initialized)
-+ _rs_stir();
-+ while (datlen > 0) {
-+ m = MIN(datlen, KEYSZ + IVSZ);
-+ _rs_rekey(dat, m);
-+ dat += m;
-+ datlen -= m;
-+ }
-+ _ARC4_UNLOCK();
-+}
-+
-+u_int32_t
-+arc4random(void)
-+{
-+ u_int32_t val;
-+
-+ _ARC4_LOCK();
-+ _rs_random_u32(&val);
-+ _ARC4_UNLOCK();
-+ return val;
-+}
-+
-+/*
-+ * If we are providing arc4random, then we can provide a more efficient
-+ * arc4random_buf().
-+ */
-+# ifndef HAVE_ARC4RANDOM_BUF
-+void
-+arc4random_buf(void *buf, size_t n)
-+{
-+ _ARC4_LOCK();
-+ _rs_random_buf(buf, n);
-+ _ARC4_UNLOCK();
-+}
-+# endif /* !HAVE_ARC4RANDOM_BUF */
-+#endif /* !HAVE_ARC4RANDOM */
-+
-+/* arc4random_buf() that uses platform arc4random() */
-+#if !defined(HAVE_ARC4RANDOM_BUF) && defined(HAVE_ARC4RANDOM)
-+void
-+arc4random_buf(void *_buf, size_t n)
-+{
-+ size_t i;
-+ u_int32_t r = 0;
-+ char *buf = (char *)_buf;
-+
-+ for (i = 0; i < n; i++) {
-+ if (i % 4 == 0)
-+ r = arc4random();
-+ buf[i] = r & 0xff;
-+ r >>= 8;
-+ }
-+ explicit_bzero(&r, sizeof(r));
-+}
-+#endif /* !defined(HAVE_ARC4RANDOM_BUF) && defined(HAVE_ARC4RANDOM) */
-+
-+#ifndef HAVE_ARC4RANDOM_UNIFORM
-+/*
-+ * Calculate a uniformly distributed random number less than upper_bound
-+ * avoiding "modulo bias".
-+ *
-+ * Uniformity is achieved by generating new random numbers until the one
-+ * returned is outside the range [0, 2**32 % upper_bound). This
-+ * guarantees the selected random number will be inside
-+ * [2**32 % upper_bound, 2**32) which maps back to [0, upper_bound)
-+ * after reduction modulo upper_bound.
-+ */
-+u_int32_t
-+arc4random_uniform(u_int32_t upper_bound)
-+{
-+ u_int32_t r, min;
-+
-+ if (upper_bound < 2)
-+ return 0;
-+
-+ /* 2**32 % x == (2**32 - x) % x */
-+ min = -upper_bound % upper_bound;
-+
-+ /*
-+ * This could theoretically loop forever but each retry has
-+ * p > 0.5 (worst case, usually far better) of selecting a
-+ * number inside the range we need, so it should rarely need
-+ * to re-roll.
-+ */
-+ for (;;) {
-+ r = arc4random();
-+ if (r >= min)
-+ break;
-+ }
-+
-+ return r % upper_bound;
-+}
-+#endif /* !HAVE_ARC4RANDOM_UNIFORM */
-+
-+#if 0
-+/*-------- Test code for i386 --------*/
-+#include <stdio.h>
-+#include <machine/pctr.h>
-+int
-+main(int argc, char **argv)
-+{
-+ const int iter = 1000000;
-+ int i;
-+ pctrval v;
-+
-+ v = rdtsc();
-+ for (i = 0; i < iter; i++)
-+ arc4random();
-+ v = rdtsc() - v;
-+ v /= iter;
-+
-+ printf("%qd cycles\n", v);
-+ exit(0);
-+}
-+#endif
-diff --git a/openbsd-compat/chacha_private.h b/openbsd-compat/chacha_private.h
-new file mode 100644
-index 0000000..7c3680f
---- /dev/null
-+++ b/openbsd-compat/chacha_private.h
-@@ -0,0 +1,222 @@
-+/*
-+chacha-merged.c version 20080118
-+D. J. Bernstein
-+Public domain.
-+*/
-+
-+/* $OpenBSD: chacha_private.h,v 1.2 2013/10/04 07:02:27 djm Exp $ */
-+
-+typedef unsigned char u8;
-+typedef unsigned int u32;
-+
-+typedef struct
-+{
-+ u32 input[16]; /* could be compressed */
-+} chacha_ctx;
-+
-+#define U8C(v) (v##U)
-+#define U32C(v) (v##U)
-+
-+#define U8V(v) ((u8)(v) & U8C(0xFF))
-+#define U32V(v) ((u32)(v) & U32C(0xFFFFFFFF))
-+
-+#define ROTL32(v, n) \
-+ (U32V((v) << (n)) | ((v) >> (32 - (n))))
-+
-+#define U8TO32_LITTLE(p) \
-+ (((u32)((p)[0]) ) | \
-+ ((u32)((p)[1]) << 8) | \
-+ ((u32)((p)[2]) << 16) | \
-+ ((u32)((p)[3]) << 24))
-+
-+#define U32TO8_LITTLE(p, v) \
-+ do { \
-+ (p)[0] = U8V((v) ); \
-+ (p)[1] = U8V((v) >> 8); \
-+ (p)[2] = U8V((v) >> 16); \
-+ (p)[3] = U8V((v) >> 24); \
-+ } while (0)
-+
-+#define ROTATE(v,c) (ROTL32(v,c))
-+#define XOR(v,w) ((v) ^ (w))
-+#define PLUS(v,w) (U32V((v) + (w)))
-+#define PLUSONE(v) (PLUS((v),1))
-+
-+#define QUARTERROUND(a,b,c,d) \
-+ a = PLUS(a,b); d = ROTATE(XOR(d,a),16); \
-+ c = PLUS(c,d); b = ROTATE(XOR(b,c),12); \
-+ a = PLUS(a,b); d = ROTATE(XOR(d,a), 8); \
-+ c = PLUS(c,d); b = ROTATE(XOR(b,c), 7);
-+
-+static const char sigma[16] = "expand 32-byte k";
-+static const char tau[16] = "expand 16-byte k";
-+
-+static void
-+chacha_keysetup(chacha_ctx *x,const u8 *k,u32 kbits,u32 ivbits)
-+{
-+ const char *constants;
-+
-+ x->input[4] = U8TO32_LITTLE(k + 0);
-+ x->input[5] = U8TO32_LITTLE(k + 4);
-+ x->input[6] = U8TO32_LITTLE(k + 8);
-+ x->input[7] = U8TO32_LITTLE(k + 12);
-+ if (kbits == 256) { /* recommended */
-+ k += 16;
-+ constants = sigma;
-+ } else { /* kbits == 128 */
-+ constants = tau;
-+ }
-+ x->input[8] = U8TO32_LITTLE(k + 0);
-+ x->input[9] = U8TO32_LITTLE(k + 4);
-+ x->input[10] = U8TO32_LITTLE(k + 8);
-+ x->input[11] = U8TO32_LITTLE(k + 12);
-+ x->input[0] = U8TO32_LITTLE(constants + 0);
-+ x->input[1] = U8TO32_LITTLE(constants + 4);
-+ x->input[2] = U8TO32_LITTLE(constants + 8);
-+ x->input[3] = U8TO32_LITTLE(constants + 12);
-+}
-+
-+static void
-+chacha_ivsetup(chacha_ctx *x,const u8 *iv)
-+{
-+ x->input[12] = 0;
-+ x->input[13] = 0;
-+ x->input[14] = U8TO32_LITTLE(iv + 0);
-+ x->input[15] = U8TO32_LITTLE(iv + 4);
-+}
-+
-+static void
-+chacha_encrypt_bytes(chacha_ctx *x,const u8 *m,u8 *c,u32 bytes)
-+{
-+ u32 x0, x1, x2, x3, x4, x5, x6, x7, x8, x9, x10, x11, x12, x13, x14, x15;
-+ u32 j0, j1, j2, j3, j4, j5, j6, j7, j8, j9, j10, j11, j12, j13, j14, j15;
-+ u8 *ctarget = NULL;
-+ u8 tmp[64];
-+ u_int i;
-+
-+ if (!bytes) return;
-+
-+ j0 = x->input[0];
-+ j1 = x->input[1];
-+ j2 = x->input[2];
-+ j3 = x->input[3];
-+ j4 = x->input[4];
-+ j5 = x->input[5];
-+ j6 = x->input[6];
-+ j7 = x->input[7];
-+ j8 = x->input[8];
-+ j9 = x->input[9];
-+ j10 = x->input[10];
-+ j11 = x->input[11];
-+ j12 = x->input[12];
-+ j13 = x->input[13];
-+ j14 = x->input[14];
-+ j15 = x->input[15];
-+
-+ for (;;) {
-+ if (bytes < 64) {
-+ for (i = 0;i < bytes;++i) tmp[i] = m[i];
-+ m = tmp;
-+ ctarget = c;
-+ c = tmp;
-+ }
-+ x0 = j0;
-+ x1 = j1;
-+ x2 = j2;
-+ x3 = j3;
-+ x4 = j4;
-+ x5 = j5;
-+ x6 = j6;
-+ x7 = j7;
-+ x8 = j8;
-+ x9 = j9;
-+ x10 = j10;
-+ x11 = j11;
-+ x12 = j12;
-+ x13 = j13;
-+ x14 = j14;
-+ x15 = j15;
-+ for (i = 20;i > 0;i -= 2) {
-+ QUARTERROUND( x0, x4, x8,x12)
-+ QUARTERROUND( x1, x5, x9,x13)
-+ QUARTERROUND( x2, x6,x10,x14)
-+ QUARTERROUND( x3, x7,x11,x15)
-+ QUARTERROUND( x0, x5,x10,x15)
-+ QUARTERROUND( x1, x6,x11,x12)
-+ QUARTERROUND( x2, x7, x8,x13)
-+ QUARTERROUND( x3, x4, x9,x14)
-+ }
-+ x0 = PLUS(x0,j0);
-+ x1 = PLUS(x1,j1);
-+ x2 = PLUS(x2,j2);
-+ x3 = PLUS(x3,j3);
-+ x4 = PLUS(x4,j4);
-+ x5 = PLUS(x5,j5);
-+ x6 = PLUS(x6,j6);
-+ x7 = PLUS(x7,j7);
-+ x8 = PLUS(x8,j8);
-+ x9 = PLUS(x9,j9);
-+ x10 = PLUS(x10,j10);
-+ x11 = PLUS(x11,j11);
-+ x12 = PLUS(x12,j12);
-+ x13 = PLUS(x13,j13);
-+ x14 = PLUS(x14,j14);
-+ x15 = PLUS(x15,j15);
-+
-+#ifndef KEYSTREAM_ONLY
-+ x0 = XOR(x0,U8TO32_LITTLE(m + 0));
-+ x1 = XOR(x1,U8TO32_LITTLE(m + 4));
-+ x2 = XOR(x2,U8TO32_LITTLE(m + 8));
-+ x3 = XOR(x3,U8TO32_LITTLE(m + 12));
-+ x4 = XOR(x4,U8TO32_LITTLE(m + 16));
-+ x5 = XOR(x5,U8TO32_LITTLE(m + 20));
-+ x6 = XOR(x6,U8TO32_LITTLE(m + 24));
-+ x7 = XOR(x7,U8TO32_LITTLE(m + 28));
-+ x8 = XOR(x8,U8TO32_LITTLE(m + 32));
-+ x9 = XOR(x9,U8TO32_LITTLE(m + 36));
-+ x10 = XOR(x10,U8TO32_LITTLE(m + 40));
-+ x11 = XOR(x11,U8TO32_LITTLE(m + 44));
-+ x12 = XOR(x12,U8TO32_LITTLE(m + 48));
-+ x13 = XOR(x13,U8TO32_LITTLE(m + 52));
-+ x14 = XOR(x14,U8TO32_LITTLE(m + 56));
-+ x15 = XOR(x15,U8TO32_LITTLE(m + 60));
-+#endif
-+
-+ j12 = PLUSONE(j12);
-+ if (!j12) {
-+ j13 = PLUSONE(j13);
-+ /* stopping at 2^70 bytes per nonce is user's responsibility */
-+ }
-+
-+ U32TO8_LITTLE(c + 0,x0);
-+ U32TO8_LITTLE(c + 4,x1);
-+ U32TO8_LITTLE(c + 8,x2);
-+ U32TO8_LITTLE(c + 12,x3);
-+ U32TO8_LITTLE(c + 16,x4);
-+ U32TO8_LITTLE(c + 20,x5);
-+ U32TO8_LITTLE(c + 24,x6);
-+ U32TO8_LITTLE(c + 28,x7);
-+ U32TO8_LITTLE(c + 32,x8);
-+ U32TO8_LITTLE(c + 36,x9);
-+ U32TO8_LITTLE(c + 40,x10);
-+ U32TO8_LITTLE(c + 44,x11);
-+ U32TO8_LITTLE(c + 48,x12);
-+ U32TO8_LITTLE(c + 52,x13);
-+ U32TO8_LITTLE(c + 56,x14);
-+ U32TO8_LITTLE(c + 60,x15);
-+
-+ if (bytes <= 64) {
-+ if (bytes < 64) {
-+ for (i = 0;i < bytes;++i) ctarget[i] = c[i];
-+ }
-+ x->input[12] = j12;
-+ x->input[13] = j13;
-+ return;
-+ }
-+ bytes -= 64;
-+ c += 64;
-+#ifndef KEYSTREAM_ONLY
-+ m += 64;
-+#endif
-+ }
-+}
-diff --git a/openbsd-compat/defines.h b/openbsd-compat/defines.h
-index da7a42c..b734c90 100644
---- a/openbsd-compat/defines.h
-+++ b/openbsd-compat/defines.h
-@@ -745,6 +745,15 @@ struct winsize {
- #define INET6_ADDRSTRLEN 46
- #endif
-
-+/*
-+ * Platforms that have arc4random_uniform() and not arc4random_stir()
-+ * shouldn't need the latter.
-+ */
-+#if defined(HAVE_ARC4RANDOM) && defined(HAVE_ARC4RANDOM_UNIFORM) && \
-+ !defined(HAVE_ARC4RANDOM_STIR)
-+# define arc4random_stir()
-+#endif
-+
- #ifndef HAVE_VA_COPY
- # ifdef HAVE___VA_COPY
- # define va_copy(dest, src) __va_copy(dest, src)
-@@ -823,7 +832,7 @@ struct winsize {
- #endif
-
- #ifndef NETDB_SUCCESS
--# define NETDB_SUCCESS -1
-+# define NETDB_SUCCESS 0
- #endif
-
- /* end of chl */
-diff --git a/openbsd-compat/openbsd-compat.h b/openbsd-compat/openbsd-compat.h
-index c30591c..7baccc8 100644
---- a/openbsd-compat/openbsd-compat.h
-+++ b/openbsd-compat/openbsd-compat.h
-@@ -63,7 +63,28 @@ char *strsep(char **stringp, const char *delim);
-
- #ifndef HAVE_ASPRINTF
- int asprintf(char **, const char *, ...);
--#endif
-+#endif
-+
-+#ifdef HAVE_ARC4RANDOM
-+# ifndef HAVE_ARC4RANDOM_STIR
-+# define arc4random_stir()
-+# endif
-+#else
-+unsigned int arc4random(void);
-+void arc4random_stir(void);
-+#endif /* !HAVE_ARC4RANDOM */
-+
-+#ifndef HAVE_ARC4RANDOM_BUF
-+void arc4random_buf(void *, size_t);
-+#endif
-+
-+#ifndef HAVE_ARC4RANDOM_UNIFORM
-+u_int32_t arc4random_uniform(u_int32_t);
-+#endif
-+
-+#ifndef HAVE_RES_RANDOMID
-+u_int res_randomid(void);
-+#endif
-
- /* #include <sys/types.h> XXX needed? For size_t */
-
-diff --git a/openbsd-compat/res_random.c b/openbsd-compat/res_random.c
-new file mode 100644
-index 0000000..7910019
---- /dev/null
-+++ b/openbsd-compat/res_random.c
-@@ -0,0 +1,283 @@
-+/* $OpenBSD: res_random.c,v 1.22 2015/06/04 19:26:39 eric Exp $ */
-+
-+/*
-+ * Copyright 1997 Niels Provos <[email protected]>
-+ * Copyright 2008 Damien Miller <[email protected]>
-+ * All rights reserved.
-+ *
-+ * Theo de Raadt <[email protected]> came up with the idea of using
-+ * such a mathematical system to generate more random (yet non-repeating)
-+ * ids to solve the resolver/named problem. But Niels designed the
-+ * actual system based on the constraints.
-+ *
-+ * Later modified by Damien Miller to wrap the LCG output in a 15-bit
-+ * permutation generator based on a Luby-Rackoff block cipher. This
-+ * ensures the output is non-repeating and preserves the MSB twiddle
-+ * trick, but makes it more resistant to LCG prediction.
-+ *
-+ * Redistribution and use in source and binary forms, with or without
-+ * modification, are permitted provided that the following conditions
-+ * are met:
-+ * 1. Redistributions of source code must retain the above copyright
-+ * notice, this list of conditions and the following disclaimer.
-+ * 2. Redistributions in binary form must reproduce the above copyright
-+ * notice, this list of conditions and the following disclaimer in the
-+ * documentation and/or other materials provided with the distribution.
-+ *
-+ * THIS SOFTWARE IS PROVIDED BY THE AUTHOR ``AS IS'' AND ANY EXPRESS OR
-+ * IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES
-+ * OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED.
-+ * IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT,
-+ * INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
-+ * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE,
-+ * DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY
-+ * THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT
-+ * (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF
-+ * THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
-+ */
-+
-+/*
-+ * seed = random 15bit
-+ * n = prime, g0 = generator to n,
-+ * j = random so that gcd(j,n-1) == 1
-+ * g = g0^j mod n will be a generator again.
-+ *
-+ * X[0] = random seed.
-+ * X[n] = a*X[n-1]+b mod m is a Linear Congruential Generator
-+ * with a = 7^(even random) mod m,
-+ * b = random with gcd(b,m) == 1
-+ * m = 31104 and a maximal period of m-1.
-+ *
-+ * The transaction id is determined by:
-+ * id[n] = seed xor (g^X[n] mod n)
-+ *
-+ * Effectivly the id is restricted to the lower 15 bits, thus
-+ * yielding two different cycles by toggling the msb on and off.
-+ * This avoids reuse issues caused by reseeding.
-+ *
-+ * The output of this generator is then randomly permuted though a
-+ * custom 15 bit Luby-Rackoff block cipher.
-+ */
-+
-+#include <sys/types.h>
-+#include <netinet/in.h>
-+#include <sys/time.h>
-+#include <resolv.h>
-+
-+#include <unistd.h>
-+#include <stdlib.h>
-+#include <string.h>
-+#include <time.h>
-+
-+#include "thread_private.h"
-+
-+#include "openbsd-compat.h"
-+
-+#define RU_OUT 180 /* Time after wich will be reseeded */
-+#define RU_MAX 30000 /* Uniq cycle, avoid blackjack prediction */
-+#define RU_GEN 2 /* Starting generator */
-+#define RU_N 32749 /* RU_N-1 = 2*2*3*2729 */
-+#define RU_AGEN 7 /* determine ru_a as RU_AGEN^(2*rand) */
-+#define RU_M 31104 /* RU_M = 2^7*3^5 - don't change */
-+#define RU_ROUNDS 11 /* Number of rounds for permute (odd) */
-+
-+struct prf_ctx {
-+ /* PRF lookup table for odd rounds (7 bits input to 8 bits output) */
-+ u_char prf7[(RU_ROUNDS / 2) * (1 << 7)];
-+
-+ /* PRF lookup table for even rounds (8 bits input to 7 bits output) */
-+ u_char prf8[((RU_ROUNDS + 1) / 2) * (1 << 8)];
-+};
-+
-+#define PFAC_N 3
-+static const u_int16_t pfacts[PFAC_N] = {
-+ 2,
-+ 3,
-+ 2729
-+};
-+
-+static u_int16_t ru_x;
-+static u_int16_t ru_seed, ru_seed2;
-+static u_int16_t ru_a, ru_b;
-+static u_int16_t ru_g;
-+static u_int16_t ru_counter = 0;
-+static u_int16_t ru_msb = 0;
-+static struct prf_ctx *ru_prf = NULL;
-+static time_t ru_reseed;
-+static pid_t ru_pid;
-+
-+static u_int16_t pmod(u_int16_t, u_int16_t, u_int16_t);
-+static void res_initid(void);
-+
-+/*
-+ * Do a fast modular exponation, returned value will be in the range
-+ * of 0 - (mod-1)
-+ */
-+static u_int16_t
-+pmod(u_int16_t gen, u_int16_t exp, u_int16_t mod)
-+{
-+ u_int16_t s, t, u;
-+
-+ s = 1;
-+ t = gen;
-+ u = exp;
-+
-+ while (u) {
-+ if (u & 1)
-+ s = (s * t) % mod;
-+ u >>= 1;
-+ t = (t * t) % mod;
-+ }
-+ return (s);
-+}
-+
-+/*
-+ * 15-bit permutation based on Luby-Rackoff block cipher
-+ */
-+static u_int
-+permute15(u_int in)
-+{
-+ int i;
-+ u_int left, right, tmp;
-+
-+ if (ru_prf == NULL)
-+ return in;
-+
-+ left = (in >> 8) & 0x7f;
-+ right = in & 0xff;
-+
-+ /*
-+ * Each round swaps the width of left and right. Even rounds have
-+ * a 7-bit left, odd rounds have an 8-bit left. Since this uses an
-+ * odd number of rounds, left is always 8 bits wide at the end.
-+ */
-+ for (i = 0; i < RU_ROUNDS; i++) {
-+ if ((i & 1) == 0)
-+ tmp = ru_prf->prf8[(i << (8 - 1)) | right] & 0x7f;
-+ else
-+ tmp = ru_prf->prf7[((i - 1) << (7 - 1)) | right];
-+ tmp ^= left;
-+ left = right;
-+ right = tmp;
-+ }
-+
-+ return (right << 8) | left;
-+}
-+
-+/*
-+ * Initializes the seed and chooses a suitable generator. Also toggles
-+ * the msb flag. The msb flag is used to generate two distinct
-+ * cycles of random numbers and thus avoiding reuse of ids.
-+ *
-+ * This function is called from res_randomid() when needed, an
-+ * application does not have to worry about it.
-+ */
-+static void
-+res_initid(void)
-+{
-+ u_int16_t j, i;
-+ u_int32_t tmp;
-+ int noprime = 1;
-+ struct timespec ts;
-+
-+ ru_x = arc4random_uniform(RU_M);
-+
-+ /* 15 bits of random seed */
-+ tmp = arc4random();
-+ ru_seed = (tmp >> 16) & 0x7FFF;
-+ ru_seed2 = tmp & 0x7FFF;
-+
-+ /* Determine the LCG we use */
-+ tmp = arc4random();
-+ ru_b = (tmp & 0xfffe) | 1;
-+ ru_a = pmod(RU_AGEN, (tmp >> 16) & 0xfffe, RU_M);
-+ while (ru_b % 3 == 0)
-+ ru_b += 2;
-+
-+ j = arc4random_uniform(RU_N);
-+
-+ /*
-+ * Do a fast gcd(j,RU_N-1), so we can find a j with
-+ * gcd(j, RU_N-1) == 1, giving a new generator for
-+ * RU_GEN^j mod RU_N
-+ */
-+
-+ while (noprime) {
-+ for (i = 0; i < PFAC_N; i++)
-+ if (j % pfacts[i] == 0)
-+ break;
-+
-+ if (i >= PFAC_N)
-+ noprime = 0;
-+ else
-+ j = (j + 1) % RU_N;
-+ }
-+
-+ ru_g = pmod(RU_GEN, j, RU_N);
-+ ru_counter = 0;
-+
-+ /* Initialise PRF for Luby-Rackoff permutation */
-+ if (ru_prf == NULL)
-+ ru_prf = malloc(sizeof(*ru_prf));
-+ if (ru_prf != NULL)
-+ arc4random_buf(ru_prf, sizeof(*ru_prf));
-+
-+ clock_gettime(CLOCK_MONOTONIC, &ts);
-+ ru_reseed = ts.tv_sec + RU_OUT;
-+ ru_msb = ru_msb == 0x8000 ? 0 : 0x8000;
-+}
-+
-+u_int
-+res_randomid(void)
-+{
-+ struct timespec ts;
-+ pid_t pid;
-+ u_int r;
-+ _THREAD_PRIVATE_MUTEX(random);
-+
-+ clock_gettime(CLOCK_MONOTONIC, &ts);
-+ pid = getpid();
-+
-+ _THREAD_PRIVATE_MUTEX_LOCK(random);
-+
-+ if (ru_counter >= RU_MAX || ts.tv_sec > ru_reseed || pid != ru_pid) {
-+ res_initid();
-+ ru_pid = pid;
-+ }
-+
-+ /* Linear Congruential Generator */
-+ ru_x = (ru_a * ru_x + ru_b) % RU_M;
-+ ru_counter++;
-+
-+ r = permute15(ru_seed ^ pmod(ru_g, ru_seed2 + ru_x, RU_N)) | ru_msb;
-+
-+ _THREAD_PRIVATE_MUTEX_UNLOCK(random);
-+
-+ return (r);
-+}
-+
-+#if 0
-+int
-+main(int argc, char **argv)
-+{
-+ int i, n;
-+ u_int16_t wert;
-+
-+ res_initid();
-+
-+ printf("Generator: %u\n", ru_g);
-+ printf("Seed: %u\n", ru_seed);
-+ printf("Reseed at %ld\n", ru_reseed);
-+ printf("Ru_X: %u\n", ru_x);
-+ printf("Ru_A: %u\n", ru_a);
-+ printf("Ru_B: %u\n", ru_b);
-+
-+ n = argc > 1 ? atoi(argv[1]) : 60001;
-+ for (i=0;i<n;i++) {
-+ wert = res_randomid();
-+ printf("%u\n", wert);
-+ }
-+ return 0;
-+}
-+#endif
-+
-diff --git a/src/Makefile.am b/src/Makefile.am
-index 2e2e40d..75353d4 100644
---- a/src/Makefile.am
-+++ b/src/Makefile.am
-@@ -12,6 +12,11 @@ libasr_la_SOURCES += $(top_srcdir)/openbsd-compat/strlcpy.c
- libasr_la_SOURCES += $(top_srcdir)/openbsd-compat/strsep.c
- libasr_la_SOURCES += $(top_srcdir)/openbsd-compat/strtonum.c
-
-+if USE_OPENBSD_RES_RANDOM
-+libasr_la_SOURCES += $(top_srcdir)/openbsd-compat/arc4random.c
-+libasr_la_SOURCES += $(top_srcdir)/openbsd-compat/res_random.c
-+endif
-+
- include_HEADERS = asr.h
-
- libasr_la_CPPFLAGS = -I$(top_srcdir)/src -I$(top_srcdir)/openbsd-compat
diff --git a/main/libasr/0001-Fix-NETDB_SUCCESS-value.patch b/main/libasr/0001-Fix-NETDB_SUCCESS-value.patch
new file mode 100644
index 0000000000..34ae1807b0
--- /dev/null
+++ b/main/libasr/0001-Fix-NETDB_SUCCESS-value.patch
@@ -0,0 +1,25 @@
+From 37b6c29ad32692aa0fea5a65492ddbea0b4a8b5d Mon Sep 17 00:00:00 2001
+From: Jonathan Curran <[email protected]>
+Date: Wed, 9 Sep 2015 17:11:55 +0000
+Subject: [PATCH 1/3] Fix NETDB_SUCCESS value
+
+---
+ openbsd-compat/defines.h | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/openbsd-compat/defines.h b/openbsd-compat/defines.h
+index da7a42c..9f50ece 100644
+--- a/openbsd-compat/defines.h
++++ b/openbsd-compat/defines.h
+@@ -823,7 +823,7 @@ struct winsize {
+ #endif
+
+ #ifndef NETDB_SUCCESS
+-# define NETDB_SUCCESS -1
++# define NETDB_SUCCESS 0
+ #endif
+
+ /* end of chl */
+--
+2.11.1
+
diff --git a/main/libasr/0002-Replace-missing-res_randomid-with-the-more-secure-ar.patch b/main/libasr/0002-Replace-missing-res_randomid-with-the-more-secure-ar.patch
new file mode 100644
index 0000000000..023b508b01
--- /dev/null
+++ b/main/libasr/0002-Replace-missing-res_randomid-with-the-more-secure-ar.patch
@@ -0,0 +1,66 @@
+From fb2c3b37d1022d84506ca0815c7c888c4f08e90c Mon Sep 17 00:00:00 2001
+From: xentec <[email protected]>
+Date: Sat, 11 Feb 2017 14:39:24 +0000
+Subject: [PATCH 2/3] Replace missing res_randomid() with the more secure
+ arc4random()
+
+---
+ configure.ac | 2 ++
+ openbsd-compat/openbsd-compat.h | 2 ++
+ src/res_mkquery.c | 2 +-
+ src/res_send_async.c | 2 +-
+ 4 files changed, 6 insertions(+), 2 deletions(-)
+
+diff --git a/configure.ac b/configure.ac
+index 10aff04..fa0e896 100644
+--- a/configure.ac
++++ b/configure.ac
+@@ -264,6 +264,8 @@ AC_ARG_WITH([Werror],
+ )
+ #l325
+
++LIBS="-lcrypto $LIBS"
++
+ AC_CHECK_HEADERS([ \
+ crypt.h \
+ dirent.h \
+diff --git a/openbsd-compat/openbsd-compat.h b/openbsd-compat/openbsd-compat.h
+index c30591c..9be2e0b 100644
+--- a/openbsd-compat/openbsd-compat.h
++++ b/openbsd-compat/openbsd-compat.h
+@@ -123,4 +123,6 @@ int res_hnok(const char *);
+ int clock_gettime(int, struct timespec *);
+ #endif
+
++unsigned int arc4random(void);
++
+ #endif /* _OPENBSD_COMPAT_H */
+diff --git a/src/res_mkquery.c b/src/res_mkquery.c
+index 27ed21e..cce4029 100644
+--- a/src/res_mkquery.c
++++ b/src/res_mkquery.c
+@@ -57,7 +57,7 @@ res_mkquery(int op, const char *dname, int class, int type,
+ ac = asr_use_resolver(NULL);
+
+ memset(&h, 0, sizeof h);
+- h.id = res_randomid();
++ h.id = arc4random();
+ if (ac->ac_options & RES_RECURSE)
+ h.flags |= RD_MASK;
+ h.qdcount = 1;
+diff --git a/src/res_send_async.c b/src/res_send_async.c
+index a60aa0d..a0f4704 100644
+--- a/src/res_send_async.c
++++ b/src/res_send_async.c
+@@ -380,7 +380,7 @@ setup_query(struct asr_query *as, const char *name, const char *dom,
+ as->as.dns.obuflen = 0;
+
+ memset(&h, 0, sizeof h);
+- h.id = res_randomid();
++ h.id = arc4random();
+ if (as->as_ctx->ac_options & RES_RECURSE)
+ h.flags |= RD_MASK;
+ h.qdcount = 1;
+--
+2.11.1
+
diff --git a/main/libasr/0003-no-need-for-openssl-in-libasr.patch b/main/libasr/0003-no-need-for-openssl-in-libasr.patch
new file mode 100644
index 0000000000..1e91c66003
--- /dev/null
+++ b/main/libasr/0003-no-need-for-openssl-in-libasr.patch
@@ -0,0 +1,25 @@
+From a392a940bd0c83393fd76eabe08b1743b396b095 Mon Sep 17 00:00:00 2001
+From: Gilles Chehade <[email protected]>
+Date: Sat, 13 Feb 2016 14:03:02 +0100
+Subject: [PATCH 3/3] no need for openssl in libasr...
+
+---
+ openbsd-compat/includes.h | 2 --
+ 1 file changed, 2 deletions(-)
+
+diff --git a/openbsd-compat/includes.h b/openbsd-compat/includes.h
+index bc3d46b..5b680d3 100644
+--- a/openbsd-compat/includes.h
++++ b/openbsd-compat/includes.h
+@@ -70,8 +70,6 @@
+ #endif
+ /* end of chl*/
+
+-#include <openssl/opensslv.h> /* For OPENSSL_VERSION_NUMBER */
+-
+ #include "defines.h"
+
+ #include "openbsd-compat.h"
+--
+2.11.1
+
diff --git a/main/libasr/APKBUILD b/main/libasr/APKBUILD
index d5b81757a7..b3801c2cd3 100644
--- a/main/libasr/APKBUILD
+++ b/main/libasr/APKBUILD
@@ -12,41 +12,41 @@ depends_dev=""
makedepends="mdocml bison libressl-dev automake autoconf libtool"
install=""
subpackages="$pkgname-dev $pkgname-doc"
-source="https://github.com/OpenSMTPD/libasr/archive/libasr-$pkgver.zip
- 00-use-openbsd-res_randomid.patch"
+source="https://github.com/OpenSMTPD/libasr/archive/libasr-$pkgver.tar.gz
+ 0001-Fix-NETDB_SUCCESS-value.patch
+ 0002-Replace-missing-res_randomid-with-the-more-secure-ar.patch
+ 0003-no-need-for-openssl-in-libasr.patch
+ "
-_builddir=${srcdir}/${pkgname}-${pkgname}-${pkgver}
+builddir=${srcdir}/${pkgname}-${pkgname}-${pkgver}
prepare() {
- local i
- cd "$_builddir"
- for i in $source; do
- case $i in
- *.patch) msg $i; patch -p1 -i "$srcdir"/$i || return 1;;
- esac
- done
- ./bootstrap
+ default_prepare || return 1
+
+ cd "$builddir"
+ ./bootstrap || return 1
}
build() {
- cd "$_builddir"
- ./configure --build=$CBUILD \
+ cd "$builddir"
+
+ ./configure --build=$CBUILD \
--host=$CHOST \
--with-pie \
--with-Werror \
--prefix=/usr \
--mandir=/usr/share/man \
- --with-mantype=man || return 1
- make || return 1
+ --with-mantype=man \
+ || return 1
+
+ make || return 1
}
package() {
- cd "$_builddir"
- make DESTDIR=${pkgdir} install || return 1
+ cd "$builddir"
+ make DESTDIR=${pkgdir} install || return 1
}
-md5sums="1919b1b1c5a08821901fd2c0a6d488a7 libasr-1.0.2.zip
-2d32d1f831dc000137d5fcaf9db3e33f 00-use-openbsd-res_randomid.patch"
-sha256sums="8e1ed7420446219d105ac0c384cf69160791335dc69bf1ca0581279472241ca7 libasr-1.0.2.zip
-19ad3fe95f881b60c317ec63777c1b4843dbaea39d28343eb67c5bdbabe4e5f9 00-use-openbsd-res_randomid.patch"
-sha512sums="2b9185c9bd953d093be397554bc024ddab03003e0c56f19018a8bc22d48434fe3364274fef631cd5e2984321368baff4cd4a504d61b71c60ceffd9e5cc3c8124 libasr-1.0.2.zip
-2dd30b5147562f209b23b4a939be787304125cf559bccd937781149cc7cb487c4cf6ec358fba32a33407c7ca3e44545ebbe04ddc2a14504835409f23bdef9689 00-use-openbsd-res_randomid.patch"
+sha512sums="d70d5fb5728678074f4fd3d0f925b13a8a5ac9fec7a38277f2ed0e6b3f3fe2591845d035f43ece1ee16f1fdfd7d7443140ca36f171f94f310ed821b88b82b924 libasr-1.0.2.tar.gz
+aebd80ae1fd33604f547833d4244161cc8551404c61e666967062e484a30d88f597e71c9f9956a3604bf02e625d8aabd9b4669d3efad1a2a15efb2f8acd8ac03 0001-Fix-NETDB_SUCCESS-value.patch
+2bef347875b1ad4ec47a6d642e0f555f40906e19bce7684fd89c1c3c867f67fff8cf42ddd836480ee73a8b4491ef9385f84c12f39197d677d239f8ac23d740a0 0002-Replace-missing-res_randomid-with-the-more-secure-ar.patch
+32ffc6e64d9eeb7aa37a2f4b4633ac462508f2ee7a9152b6c6b87aeebdcc89e809e839d4cc66ed49486b98d34706ff8cd86d8466663bd8712dacd99cfec64e03 0003-no-need-for-openssl-in-libasr.patch"
--
2.11.1
Raw
0002-main-opensmtpd-improve-compatibility-with-libressl.patch
From a850a30fbb42091337645d8eaebe653fcb2bc208 Mon Sep 17 00:00:00 2001
From: xentec <[email protected]>
Date: Sat, 11 Feb 2017 14:53:16 +0000
Subject: [PATCH 2/2] main/opensmtpd: improve compatibility with libressl
---
main/opensmtpd/APKBUILD | 16 +--
...mtpd-0001-fix-compatibility-with-libressl.patch | 108 +++++++++++++++++++++
...d-5.7.3p2-libressl-arc4random-circularity.patch | 35 -------
3 files changed, 112 insertions(+), 47 deletions(-)
create mode 100644 main/opensmtpd/opensmtpd-0001-fix-compatibility-with-libressl.patch
delete mode 100644 main/opensmtpd/opensmtpd-5.7.3p2-libressl-arc4random-circularity.patch
diff --git a/main/opensmtpd/APKBUILD b/main/opensmtpd/APKBUILD
index c522e50a1a..2503064768 100644
--- a/main/opensmtpd/APKBUILD
+++ b/main/opensmtpd/APKBUILD
@@ -3,7 +3,7 @@
# Maintainer: Jonathan Curran <[email protected]>
pkgname=opensmtpd
pkgver=5.9.2p1
-pkgrel=3
+pkgrel=4
pkgdesc="secure, reliable, lean, and easy-to configure SMTP server"
url="http://www.opensmtpd.org"
arch="all"
@@ -17,7 +17,7 @@ subpackages="$pkgname-doc"
source="https://www.opensmtpd.org/archives/${pkgname}-${pkgver}.tar.gz
smtpd.initd
aliases
- opensmtpd-5.7.3p2-libressl-arc4random-circularity.patch"
+ opensmtpd-0001-fix-compatibility-with-libressl.patch"
options="suid"
builddir="$srcdir"/$pkgname-$pkgver
@@ -38,7 +38,7 @@ build() {
--with-pie \
--with-path-CAfile=/etc/ssl/certs/ca-certificates.crt \
--with-mantype=man || return 1
- make || return 1
+ make || return 1
}
package() {
@@ -54,15 +54,7 @@ package() {
done
}
-md5sums="d109374dcc4bc8be14f790b859f1dd31 opensmtpd-5.9.2p1.tar.gz
-a2f311a82c9a85f5c52975c4dbbdbd53 smtpd.initd
-561d2aead043a64a4ce5d66b4f78223e aliases
-a4c72a6a5fe18b514571e4baac19756f opensmtpd-5.7.3p2-libressl-arc4random-circularity.patch"
-sha256sums="3522f273c1630c781facdb2b921228e338ed4e651909316735df775d6a70a71d opensmtpd-5.9.2p1.tar.gz
-ab4b7f066a38dadd7a2dc6d7c3a06c3a8ac2367340d97e2a8b54f571ea0f8cf8 smtpd.initd
-7bef80f8d86aa5463c864681482a4908d22ff8b6f3e47d2a410ef2d59b316b53 aliases
-0dee9bb91e191bfe51e8609c9469cc141af1b1c049869db4eebbf0bbb55971f6 opensmtpd-5.7.3p2-libressl-arc4random-circularity.patch"
sha512sums="99ca15101557848aa6d642f0c0171b152d805192e6839a97410b19431c981a21a5c0dc011e2c8cd91f3e6f6acb37a77f0f4c8e68114bf9808240392fe2b5d375 opensmtpd-5.9.2p1.tar.gz
8152fecadeb1d818b7865eae040123f855e81fafbb4b40d12a64336e09dc486c10e6828809182c8172bfd9f54dc7d050a154b61d5e6049df6ffd8a7b6e5e1277 smtpd.initd
929ba0b8befca6cad558602f9793a9c653923924ee524902916b8ef4952d1ea8a391895e7450ed9768eb82a07bd307b49561f5d49ea4711bd87a1a73eb8d7dad aliases
-f1958f86edbf558bac88f944196670b4d34b7367f8479ef13433981bcb174afd7aa0e42aa447eac4bd46b0be849e2cf97313cc1073782c86c4c0a4aa7326b456 opensmtpd-5.7.3p2-libressl-arc4random-circularity.patch"
+ffb3aaf242b6269075155da16029d8c670261960c9aca494ee8b539a91bd3386e82cebb8e85e03a4680ca700c3ace0197d9d5b73da664f597762a1d0ba0b6ac2 opensmtpd-0001-fix-compatibility-with-libressl.patch"
diff --git a/main/opensmtpd/opensmtpd-0001-fix-compatibility-with-libressl.patch b/main/opensmtpd/opensmtpd-0001-fix-compatibility-with-libressl.patch
new file mode 100644
index 0000000000..52eb89f805
--- /dev/null
+++ b/main/opensmtpd/opensmtpd-0001-fix-compatibility-with-libressl.patch
@@ -0,0 +1,108 @@
+From 192c74ab92a1bb265770dc6ff194ab6408f7582e Mon Sep 17 00:00:00 2001
+From: Samuel Holland <[email protected]>
+Date: Wed, 11 Jan 2017 17:35:29 -0600
+Subject: [PATCH] fix compatibility with libressl
+
+These functions are exported by libcrypto from libressl, due to its
+similar OpenBSD compatibility layer, but they are not present in any
+header files. Thus, while we can use the existing compiled function,
+and do not need to provide our own, we do need to provide the prototype
+for it.
+
+This avoids implicit function declarations and the resulting crashes due
+to pointer truncation.
+
+The patch is based on an equivalent patch for OpenSSH from
+https://bugzilla.mindrot.org/show_bug.cgi?id=2465
+Also see
+https://github.com/libressl-portable/portable/issues/109
+
+Fixes #691
+---
+ openbsd-compat/defines.h | 9 ---------
+ openbsd-compat/openbsd-compat.h | 28 ++++++++++++++++------------
+ 2 files changed, 16 insertions(+), 21 deletions(-)
+
+diff --git a/openbsd-compat/defines.h b/openbsd-compat/defines.h
+index 480f92a..d779724 100644
+--- a/openbsd-compat/defines.h
++++ b/openbsd-compat/defines.h
+@@ -422,15 +422,6 @@ typedef u_int16_t in_port_t;
+ #define INET6_ADDRSTRLEN 46
+ #endif
+
+-/*
+- * Platforms that have arc4random_uniform() and not arc4random_stir()
+- * shouldn't need the latter.
+- */
+-#if defined(HAVE_ARC4RANDOM) && defined(HAVE_ARC4RANDOM_UNIFORM) && \
+- !defined(HAVE_ARC4RANDOM_STIR)
+-# define arc4random_stir()
+-#endif
+-
+ #ifndef HAVE_VA_COPY
+ # ifdef HAVE___VA_COPY
+ # define va_copy(dest, src) __va_copy(dest, src)
+diff --git a/openbsd-compat/openbsd-compat.h b/openbsd-compat/openbsd-compat.h
+index a5ee2d3..f36afcf 100644
+--- a/openbsd-compat/openbsd-compat.h
++++ b/openbsd-compat/openbsd-compat.h
+@@ -119,23 +119,27 @@ int BSDoptind; /* index into parent argv vector */
+ int getpeereid(int , uid_t *, gid_t *);
+ #endif
+
+-#ifdef HAVE_ARC4RANDOM
+-# ifndef HAVE_ARC4RANDOM_STIR
+-# define arc4random_stir()
+-# endif
+-#else
++#if !defined(HAVE_ARC4RANDOM) || defined(LIBRESSL_VERSION_NUMBER)
+ unsigned int arc4random(void);
++#endif
++
++#if defined(HAVE_ARC4RANDOM_STIR)
+ void arc4random_stir(void);
+-#endif /* !HAVE_ARC4RANDOM */
++#elif defined(HAVE_ARC4RANDOM) || defined(LIBRESSL_VERSION_NUMBER)
++/* Recent system/libressl implementation; no need for explicit stir */
++# define arc4random_stir()
++#else
++/* openbsd-compat/arc4random.c provides arc4random_stir() */
++void arc4random_stir(void);
++#endif
+
+-#ifndef HAVE_ARC4RANDOM_BUF
++#if !defined(HAVE_ARC4RANDOM_BUF) || defined(LIBRESSL_VERSION_NUMBER)
+ void arc4random_buf(void *, size_t);
+ #endif
+
+-#ifndef HAVE_ARC4RANDOM_UNIFORM
+-u_int32_t arc4random_uniform(u_int32_t);
++#if !defined(HAVE_ARC4RANDOM_UNIFORM) || defined(LIBRESSL_VERSION_NUMBER)
++uint32_t arc4random_uniform(uint32_t);
+ #endif
+-
+ #ifndef HAVE_ASPRINTF
+ int asprintf(char **, const char *, ...);
+ #endif
+@@ -174,7 +178,7 @@ int vasprintf(char **, const char *, va_list);
+ int vsnprintf(char *, size_t, const char *, va_list);
+ #endif
+
+-#ifndef HAVE_EXPLICIT_BZERO
++#if !defined(HAVE_EXPLICIT_BZERO) || defined(LIBRESSL_VERSION_NUMBER)
+ void explicit_bzero(void *p, size_t n);
+ #endif
+
+@@ -200,7 +204,7 @@ int pidfile(const char *basename);
+ struct passwd *pw_dup(const struct passwd *);
+ #endif
+
+-#ifndef HAVE_REALLOCARRAY
++#if !defined(HAVE_REALLOCARRAY) || defined(LIBRESSL_VERSION_NUMBER)
+ void *reallocarray(void *, size_t, size_t);
+ #endif
+
+--
+2.11.1
+
diff --git a/main/opensmtpd/opensmtpd-5.7.3p2-libressl-arc4random-circularity.patch b/main/opensmtpd/opensmtpd-5.7.3p2-libressl-arc4random-circularity.patch
deleted file mode 100644
index 7c35862914..0000000000
--- a/main/opensmtpd/opensmtpd-5.7.3p2-libressl-arc4random-circularity.patch
+++ /dev/null
@@ -1,35 +0,0 @@
-diff -ru opensmtpd-5.7.3p2/openbsd-compat/arc4random.c opensmtpd-5.7.3p2-fixed/openbsd-compat/arc4random.c
---- opensmtpd-5.7.3p2/openbsd-compat/arc4random.c 2016-02-02 08:40:06.000000000 +0100
-+++ opensmtpd-5.7.3p2-fixed/openbsd-compat/arc4random.c 2016-03-02 17:34:24.535030362 +0100
-@@ -188,6 +188,7 @@
- _ARC4_UNLOCK();
- }
-
-+#if 0
- u_int32_t
- arc4random(void)
- {
-@@ -198,12 +199,13 @@
- _ARC4_UNLOCK();
- return val;
- }
-+#endif
-
- /*
- * If we are providing arc4random, then we can provide a more efficient
- * arc4random_buf().
- */
--# ifndef HAVE_ARC4RANDOM_BUF
-+#if 0
- void
- arc4random_buf(void *buf, size_t n)
- {
-@@ -215,7 +217,7 @@
- #endif /* !HAVE_ARC4RANDOM */
-
- /* arc4random_buf() that uses platform arc4random() */
--#if !defined(HAVE_ARC4RANDOM_BUF) && defined(HAVE_ARC4RANDOM)
-+#if 0
- void
- arc4random_buf(void *_buf, size_t n)
- {
--
2.11.1
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment