From owner-freebsd-current@FreeBSD.ORG Mon Jun 9 22:21:49 2014 Return-Path: Delivered-To: freebsd-current@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [8.8.178.115]) (using TLSv1 with cipher ADH-AES256-SHA (256/256 bits)) (No client certificate requested) by hub.freebsd.org (Postfix) with ESMTPS id 1BC66FDA for ; Mon, 9 Jun 2014 22:21:49 +0000 (UTC) Received: from jasper.scroner.com (jasper.scroner.com [12.47.45.153]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (Client CN "scroner.com", Issuer "Go Daddy Secure Certificate Authority - G2" (verified OK)) by mx1.freebsd.org (Postfix) with ESMTPS id D020228CD for ; Mon, 9 Jun 2014 22:21:48 +0000 (UTC) Received: from jasper.scroner.com (localhost [127.0.0.1]) by jasper.scroner.com (8.14.8/8.14.8) with ESMTP id s59MI47t011457 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-GCM-SHA384 bits=256 verify=NO) for ; Mon, 9 Jun 2014 17:18:05 -0500 (CDT) (envelope-from tony@scroner.com) Received: (from tony@localhost) by jasper.scroner.com (8.14.9/8.14.8/Submit) id s59MI4Ow011456 for freebsd-current@freebsd.org; Mon, 9 Jun 2014 17:18:04 -0500 (CDT) (envelope-from tony@scroner.com) Date: Mon, 9 Jun 2014 17:18:04 -0500 From: Tony Morlan To: freebsd-current@freebsd.org Subject: WITHOUT_OPENSSL build failure Message-ID: <20140609221804.GL46752@jasper.scroner.com> Reply-To: Tony Morlan MIME-Version: 1.0 Content-Type: multipart/signed; micalg=pgp-sha1; protocol="application/pgp-signature"; boundary="GID0FwUMdk1T2AWN" Content-Disposition: inline X-Evil: yes X-PGP-ID: 0x7412A7D6 X-PGP-Fingerprint: 3383 F2F0 B951 0D2C 9AC0 48B4 DA33 54BC 7412 A7D6 User-Agent: Mutt/1.5.23 (2014-03-12) X-Spam-Status: No, score=-1.0 required=5.0 tests=ALL_TRUSTED autolearn=disabled version=3.4.0 X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on jasper.scroner.com X-Mailman-Approved-At: Mon, 09 Jun 2014 22:44:25 +0000 X-BeenThere: freebsd-current@freebsd.org X-Mailman-Version: 2.1.18 Precedence: list List-Id: Discussions about the use of FreeBSD-current List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 09 Jun 2014 22:21:49 -0000 --GID0FwUMdk1T2AWN Content-Type: multipart/mixed; boundary="xHFwDpU9dbj6ez1V" Content-Disposition: inline --xHFwDpU9dbj6ez1V Content-Type: text/plain; charset=us-ascii Content-Disposition: inline Hello! When trying to buildworld from 267293 with WITHOUT_OPENSSL I run into a few issues. It seems that the following options currently need to be implied: WITHOUT_LDNS WITHOUT_BSNMP WITHOUT_DMAGENT WITHOUT_PKGBOOTSTRAP WITHOUT_SVNLITE The WITHOUT_BSNMP option also currently needs to enforce WITHOUT_ATM. With those all set, WITHOUT_OPENSSL almost works. There remains a warning in libfetch, and both ctld and iscsid use OpenSSL with the option set or not. I've included a patch with a one liner change to avoid the warning in libfetch, and changes to usr.sbin/ctld and usr.sbin/iscsid to use arc4random_buf and md5.h instead of similar OpenSSL functions. I don't use iscsi, so that part of the patch is unfortunately untested. It might be preferable to add WITHOUT_CTLD and WITHOUT_ISCSID instead. Tony --xHFwDpU9dbj6ez1V Content-Type: text/x-diff; charset=us-ascii Content-Disposition: attachment; filename="without_openssl.patch" Content-Transfer-Encoding: quoted-printable Index: lib/libfetch/common.c =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D= =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D= =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D --- lib/libfetch/common.c (revision 267293) +++ lib/libfetch/common.c (working copy) @@ -888,6 +888,7 @@ return (0); #else (void)conn; + (void)URL; (void)verbose; fprintf(stderr, "SSL support disabled\n"); return (-1); Index: usr.sbin/ctld/Makefile =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D= =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D= =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D --- usr.sbin/ctld/Makefile (revision 267293) +++ usr.sbin/ctld/Makefile (working copy) @@ -9,8 +9,8 @@ #CFLAGS+=3D -DICL_KERNEL_PROXY MAN=3D ctld.8 ctl.conf.5 =20 -DPADD=3D ${LIBCAM} ${LIBSBUF} ${LIBBSDXML} ${LIBUTIL} -LDADD=3D -lbsdxml -lcam -lcrypto -lfl -lsbuf -lssl -lutil +DPADD=3D ${LIBCAM} ${LIBMD} ${LIBSBUF} ${LIBBSDXML} ${LIBUTIL} +LDADD=3D -lbsdxml -lcam -lfl -lmd -lsbuf -lutil -lmd =20 YFLAGS+=3D -v CLEANFILES=3D y.tab.c y.tab.h y.output Index: usr.sbin/ctld/login.c =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D= =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D= =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D --- usr.sbin/ctld/login.c (revision 267293) +++ usr.sbin/ctld/login.c (working copy) @@ -37,9 +37,7 @@ #include #include #include -#include -#include -#include +#include =20 #include "ctld.h" #include "iscsi_proto.h" @@ -356,17 +354,14 @@ size_t response_len) { MD5_CTX ctx; - int rv; =20 assert(response_len =3D=3D MD5_DIGEST_LENGTH); =20 - MD5_Init(&ctx); - MD5_Update(&ctx, &id, sizeof(id)); - MD5_Update(&ctx, secret, strlen(secret)); - MD5_Update(&ctx, challenge, challenge_len); - rv =3D MD5_Final(response, &ctx); - if (rv !=3D 1) - log_errx(1, "MD5_Final"); + MD5Init(&ctx); + MD5Update(&ctx, &id, sizeof(id)); + MD5Update(&ctx, secret, strlen(secret)); + MD5Update(&ctx, challenge, challenge_len); + MD5Final(response, &ctx); } =20 #define LOGIN_CHALLENGE_LEN 1024 @@ -565,7 +560,6 @@ struct pdu *request; char challenge_bin[LOGIN_CHALLENGE_LEN]; unsigned char id; - int rv; =20 /* * Receive CHAP_A PDU. @@ -576,18 +570,8 @@ /* * Generate the challenge. */ - rv =3D RAND_bytes(challenge_bin, sizeof(challenge_bin)); - if (rv !=3D 1) { - login_send_error(request, 0x03, 0x02); - log_errx(1, "RAND_bytes failed: %s", - ERR_error_string(ERR_get_error(), NULL)); - } - rv =3D RAND_bytes(&id, sizeof(id)); - if (rv !=3D 1) { - login_send_error(request, 0x03, 0x02); - log_errx(1, "RAND_bytes failed: %s", - ERR_error_string(ERR_get_error(), NULL)); - } + arc4random_buf(challenge_bin, sizeof(challenge_bin)); + arc4random_buf(&id, sizeof(id)); =20 /* * Send the challenge. Index: usr.sbin/iscsid/Makefile =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D= =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D= =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D --- usr.sbin/iscsid/Makefile (revision 267293) +++ usr.sbin/iscsid/Makefile (working copy) @@ -8,8 +8,8 @@ #CFLAGS+=3D -DICL_KERNEL_PROXY MAN=3D iscsid.8 =20 -DPADD=3D ${LIBUTIL} -LDADD=3D -lcrypto -lssl -lutil +DPADD=3D ${LIBMD} ${LIBUTIL} +LDADD=3D -lmd -lutil =20 WARNS=3D 6 =20 Index: usr.sbin/iscsid/login.c =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D= =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D= =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D --- usr.sbin/iscsid/login.c (revision 267293) +++ usr.sbin/iscsid/login.c (working copy) @@ -36,9 +36,7 @@ #include #include #include -#include -#include -#include +#include =20 #include "iscsid.h" #include "iscsi_proto.h" @@ -376,17 +374,14 @@ size_t response_len) { MD5_CTX ctx; - int rv; =20 assert(response_len =3D=3D MD5_DIGEST_LENGTH); =20 - MD5_Init(&ctx); - MD5_Update(&ctx, &id, sizeof(id)); - MD5_Update(&ctx, secret, strlen(secret)); - MD5_Update(&ctx, challenge, challenge_len); - rv =3D MD5_Final(response, &ctx); - if (rv !=3D 1) - log_errx(1, "MD5_Final"); + MD5Init(&ctx); + MD5Update(&ctx, &id, sizeof(id)); + MD5Update(&ctx, secret, strlen(secret)); + MD5Update(&ctx, challenge, challenge_len); + MD5Final(response, &ctx); } =20 static void @@ -588,7 +583,7 @@ const char *chap_a, *chap_c, *chap_i; char *chap_r, *challenge, response_bin[MD5_DIGEST_LENGTH]; size_t challenge_len; - int error, rv; + int error; unsigned char id; char *mutual_chap_c, mutual_chap_i[4]; =20 @@ -647,18 +642,10 @@ "binary challenge size is %zd bytes", sizeof(conn->conn_mutual_challenge)); =20 - rv =3D RAND_bytes(conn->conn_mutual_challenge, + arc4random_buf(conn->conn_mutual_challenge, sizeof(conn->conn_mutual_challenge)); - if (rv !=3D 1) { - log_errx(1, "RAND_bytes failed: %s", - ERR_error_string(ERR_get_error(), NULL)); - } - rv =3D RAND_bytes(&conn->conn_mutual_id, + arc4random_buf(&conn->conn_mutual_id, sizeof(conn->conn_mutual_id)); - if (rv !=3D 1) { - log_errx(1, "RAND_bytes failed: %s", - ERR_error_string(ERR_get_error(), NULL)); - } mutual_chap_c =3D login_bin2hex(conn->conn_mutual_challenge, sizeof(conn->conn_mutual_challenge)); snprintf(mutual_chap_i, sizeof(mutual_chap_i), @@ -752,8 +739,6 @@ static void login_create_isid(struct connection *conn) { - int rv; - /* * RFC 3720, 10.12.5: 10b, "Random" ISID. * @@ -760,11 +745,7 @@ */ conn->conn_isid[0] =3D 0x80;=20 =20 - rv =3D RAND_bytes(&conn->conn_isid[1], 3); - if (rv !=3D 1) { - log_errx(1, "RAND_bytes failed: %s", - ERR_error_string(ERR_get_error(), NULL)); - } + arc4random_buf(&conn->conn_isid[1], 3); } =20 void --xHFwDpU9dbj6ez1V-- --GID0FwUMdk1T2AWN Content-Type: application/pgp-signature -----BEGIN PGP SIGNATURE----- Version: GnuPG v2 iQIcBAEBAgAGBQJTljKFAAoJENozVLx0EqfWSg0P/0i5kv11hEe+f2tnnX8mye7J DxFH0NNqgJrIsJFi7FbMmu7R+Ogy45sTqgjHCuhC1pWQkc1aL7FkqCUKJJAtFtdc 8uQF0ShBKG42OpauL0SYuAEWPs06m8+4Ez8KLtHX64OguoDV/Z+ggzIFTg3n8oWg t6bh3o7+1Vm2KcdfMUXsntbxDLyeHwDzCRTUMHnS56GFdkL5T0KdWKd6oyriG02S qkonvG7oGyyEpVK9GzDrvqskX1wqcl3m30lOWDtuhEmcyY02AydOZfylkdsST1C6 /iB5nMTWMg81ZT/S/4mKxYe6GbfRnhIBma2FUAWJUg5R+fWcRKDucr8uvvlwlRAa j+VC+UrKQAxBqhW0zg7sjNaas2zhmTx4Lblc/mW8JXiTGD7dnP/0HMkg1F7X1hgD WdtUA6ASc33baqC9wreGNkmJsIqK1RBgo0IcY8MwIV2TxjbngHhU6pr0eIGyHxLN yWUc/nHkHd/6HNbVMaFWo6xlhAs9ro1qVvYJV0q9raNlBEkYpY0vaZSXJ1oZRHRg Y9ekIpkOt2TZlomygC7IQ2xb12GSzg0oUTrYUY/JcIR4Yr7HQgevJq1S3k42/ZH6 u710fExoZEyZRBd8dW8SUsn1nW9BwvDv5t0x1D8gdMLL/W243OsBuV6WFbeVkSgF u5+A5f6LQqGfeNel1Hca =sYyI -----END PGP SIGNATURE----- --GID0FwUMdk1T2AWN--