[Git][NTPsec/ntpsec][master] Eliminate dependency on libsodium - use OpenSSL's RNG.

Eric S. Raymond gitlab at mg.gitlab.com
Sat Jan 28 14:53:26 UTC 2017


Eric S. Raymond pushed to branch master at NTPsec / ntpsec


Commits:
dc54a52e by Eric S. Raymond at 2017-01-28T09:52:43-05:00
Eliminate dependency on libsodium - use OpenSSL's RNG.

- - - - -


11 changed files:

- INSTALL
- attic/wscript
- buildprep
- include/ntp_random.h
- libntp/ntp_random.c
- libntp/pymodule.c
- libntp/wscript
- ntpd/ntpd.c
- ntpd/wscript
- − wafhelpers/check_sodium.py
- wafhelpers/configure.py


Changes:

=====================================
INSTALL
=====================================
--- a/INSTALL
+++ b/INSTALL
@@ -53,7 +53,6 @@ Python 2.x, x >= 6, or Python 3.x, x >= 3::
     export PYTHONPATH=/usr/local/lib/python2.6/site-packages
   (I put it in my .bashrc)
 
-
 bison::
    Required to build.
    Gentoo package: sys-devel/bison
@@ -63,41 +62,6 @@ OpenSSL::
    Enables encryption and authentication.
    Gentoo: dev-libs/openssl
 
-libsodium::
-   Required to run and build.
-   Used for cryptographic-quality random-number generation.
-   This is a relatively recent library and is a bit tricky to install on
-   older distributions. We used to carry it in-tree to avoid this problem,
-   but we judge this creates an unacceptable risk should a CVE be issued
-   against it
-
-   Tarballs: https://download.libsodium.org/libsodium/releases/
-
-   NetBSD:
-     pkgin install libsodium
-     The runtime loader/linker doesn't look in /usr/pkg/lib/
-     The following link makes things work.  (adjust both 18s as needed)
-     # ls -s  /usr/pkg/lib/libsodium.so.18 /usr/lib/libsodium.so.18
-   FreeBSD:
-     # pkg install libsodium
-   CentOS:
-       libsodium comes from epel ("Extra Packages for Enterprise Linux").
-       https://fedoraproject.org/wiki/EPEL
-    # yum install epel-release
-    now use buildprep
-   Debian
-    Jessie: use buildprep
-    Wheezy:
-      i386 deb available from:
-        https://sourceforge.net/projects/debiannoofficial/files/wheezy/
-      amd64: use a tarball (URL above)
-        $ ./configure; make; make check; sudo make install
-        # ln -s /usr/local/lib/libsodium.so.18  /lib/x86_64-linux-gnu/libsodium.so.18
-
-   MacOS/OS X, macports: libsodium
-   Ubuntu 14.04 LTS: and older:
-      https://gist.github.com/jonathanpmartins/2510f38abee1e65c6d92
-
 libcap::
    Required on Linux to support dropping root.
    Gentoo package: sys-libs/libcap


=====================================
attic/wscript
=====================================
--- a/attic/wscript
+++ b/attic/wscript
@@ -11,6 +11,6 @@ def build(ctx):
 			includes	= [
 						"%s/%s/" % (bldnode, name)
 					],
-			use		= "ntp isc M RT THR PTHREAD",
+			use		= "ntp isc M SSL CRYPTO RT THR PTHREAD",
 			install_path    = None,
 		)


=====================================
buildprep
=====================================
--- a/buildprep
+++ b/buildprep
@@ -90,14 +90,12 @@ case $installer in
 	echo "# SLES versions 12 and earlier do not have pps-tools"
 	$do $installer --install basis-devel gnuplot libcap-devel libcap2
 	$do $installer --install liberation-fonts libseccomp-devel
-	$do $installer --install libsodium-devel libsodium13
 	$do $installer --install openssl-libs openssl-devel
 	$do $installer --install python-devel
 	;;
     zypper)
 	$do zypper install -y gnuplot libcap-devel libcap2
 	$do zypper install -y liberation-fonts libseccomp-devel
-	$do zypper install -y libsodium-devel libsodium13
 	$do zypper install -y openssl-devel
 	$do zypper install -y python-devel bison
 	$do zypper install -y gcc6 gcc6-info gcc6-locale
@@ -106,21 +104,5 @@ case $installer in
 	;;
 esac
 
-echo "# libsodium is a point of pain; some older distributions don't carry it."
-echo "# Watch these installations closely; if you get a failure message,"
-echo "# see INSTALL for instructions."
-case $installer in
-    apt)
-	# no libsodium on Debian wheezy
-	$do apt-get install libsodium-dev
-	;;
-    emerge)
-        $do emerge -q y dev-libs/libsodium
-        ;;
-    yum|dnf)
-	# no libsodium on CentOS 7
-	$do $installer install libsodium libsodium-devel
-	;;
-esac
 echo ""
 echo "# Done."


=====================================
include/ntp_random.h
=====================================
--- a/include/ntp_random.h
+++ b/include/ntp_random.h
@@ -1 +1 @@
-long ntp_random (void);
+int32_t ntp_random (void);


=====================================
libntp/ntp_random.c
=====================================
--- a/libntp/ntp_random.c
+++ b/libntp/ntp_random.c
@@ -5,14 +5,16 @@
  * SPDX-License-Identifier: BSD-4-clause
  */
 
-#include "config.h"
 #include <stdint.h>
-#include <sodium.h>
 
-long
-ntp_random( void )
+#include <openssl/rand.h>
+
+#include "ntp_endian.h"
+
+int32_t
+ntp_random(void)
 {
-	uint32_t rnd;
-	randombytes_buf(&rnd, sizeof rnd);
-	return (long)(rnd & 0x7fffffff);
+	unsigned char rnd[sizeof(uint32_t)];
+	RAND_bytes(rnd, sizeof(rnd));
+	return (int32_t)ntp_be32dec(rnd);
 }


=====================================
libntp/pymodule.c
=====================================
--- a/libntp/pymodule.c
+++ b/libntp/pymodule.c
@@ -136,7 +136,7 @@ ntpc_step_systime(PyObject *self, PyObject *args)
     return Py_BuildValue("d", step_systime(adjustment, ntp_set_tod));
 }
 
-long ntp_random(void)
+int32_t ntp_random(void)
 /* stub random function for get_systime() */
 {
     return 0;


=====================================
libntp/wscript
=====================================
--- a/libntp/wscript
+++ b/libntp/wscript
@@ -55,7 +55,6 @@ def build(ctx):
 	ctx(
 		target		= "ntp",
 		features	= "c cstlib bld_include src_include",
-		use		= "SODIUM",
 		source		= libntp_source + libntp_source_sharable,
 		includes	= includes,
 	)


=====================================
ntpd/ntpd.c
=====================================
--- a/ntpd/ntpd.c
+++ b/ntpd/ntpd.c
@@ -52,8 +52,6 @@ static	void		finish_safe	(int);
 DNSServiceRef mdns;
 #endif
 
-#include <sodium.h>
-
 static void check_minsane(void);
 
 static bool need_priority = false;
@@ -646,14 +644,6 @@ ntpdmain(
 # endif		/* HAVE_WORKING_FORK */
 	}
 
-        /*
-	 * Initialize libsodium and its RNG
-	 */
-	if (sodium_init() < 0) {
-		msyslog(LOG_ERR, "sodium_init() failed");
-		exit(1);
-	}
-
 	/*
 	 * Set up signals we pay attention to locally.
 	 */


=====================================
ntpd/wscript
=====================================
--- a/ntpd/wscript
+++ b/ntpd/wscript
@@ -132,7 +132,7 @@ def build(ctx):
 		target		= "ntpd",
 		features	= "c rtems_trace cprogram bld_include src_include libisc_include libisc_pthread_include",
 		source		= ntpd_source,
-		use		= "libntpd_obj isc ntp M parse RT SODIUM CAP SECCOMP PTHREAD SSL CRYPTO DNS_SD DNS_SD_INCLUDES %s SOCKET NSL SCF" % use_refclock,
+		use		= "libntpd_obj isc ntp M parse RT CAP SECCOMP PTHREAD SSL CRYPTO DNS_SD DNS_SD_INCLUDES %s SOCKET NSL SCF" % use_refclock,
 		includes	= [
 					"%s/host/ntpd/" % ctx.bldnode.parent.abspath(),
 					"%s/ntpd/" % srcnode,


=====================================
wafhelpers/check_sodium.py deleted
=====================================
--- a/wafhelpers/check_sodium.py
+++ /dev/null
@@ -1,11 +0,0 @@
-
-
-def check_sodium(ctx):
-    ctx.check_cc(header_name="sodium.h",
-      includes=ctx.env.PLATFORM_INCLUDES,
-      mandatory=True,
-      errmsg="No\nFatal Error: Your system is missing libsodium")
-    ctx.check_cc(lib="sodium",
-      libpath=ctx.env.PLATFORM_LIBPATH,
-      comment="Sodium crypto library",
-      mandatory=True)


=====================================
wafhelpers/configure.py
=====================================
--- a/wafhelpers/configure.py
+++ b/wafhelpers/configure.py
@@ -553,9 +553,6 @@ def cmd_configure(ctx, config):
     from wafhelpers.check_cap import check_cap
     check_cap(ctx)
 
-    from wafhelpers.check_sodium import check_sodium
-    check_sodium(ctx)
-
     from wafhelpers.check_seccomp import check_seccomp
     check_seccomp(ctx)
 



View it on GitLab: https://gitlab.com/NTPsec/ntpsec/commit/dc54a52e9c29fe1058a5e2a1787568e02305435d
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.ntpsec.org/pipermail/vc/attachments/20170128/63d26d89/attachment.html>


More information about the vc mailing list