Re: reorder libssl and libtls at boot?

[Stuart Henderson]

On 2023/06/17 09:02, Theo de Raadt wrote:
> I don't see a positive value:cost tradeoff here, where cost is "time during
> boot, and potential for fragility in case of relink failure".

+ extra difficulty in debugging from core dumps.

Re: lpd(8): document correct control character for DVI

[Jason McIntyre]

On Tue, Jun 13, 2023 at 06:02:01PM +, Lennart Jablonka wrote:
> r is for FORTRAN output, not for DVI.
> 

fixed, thanks.
jmc

> Index: lpd.8
> ===
> RCS file: /cvs/src/usr.sbin/lpr/lpd/lpd.8,v
> retrieving revision 1.32
> diff -u -p -r1.32 lpd.8
> --- lpd.8 10 Oct 2022 09:13:43 -  1.32
> +++ lpd.8 6 Jun 2023 12:30:54 -
> @@ -242,7 +242,7 @@ The file contains troff output (cat phot
>  .It n
>  Ditroff File.
>  The file contains device independent troff output.
> -.It r
> +.It d
>  DVI File.
>  The file contains
>  .Tn Tex l
> 

Re: reorder libssl and libtls at boot?

[Theo de Raadt]

Relinking's goal is to reduce gadget discovery.

There are two reasons we do this:

- The existance of many small stub functions that might be reached with
  the wrong parameters to act upon data structures incorrectly
- polymorphic gadget availability on variable-sized instruction architectures

Random relinking makes the offsets to those things less discoverable.

But these two librares you propose are than the others we relink, and
have far fewer gadgets to begin with.

I don't see a positive value:cost tradeoff here, where cost is "time during
boot, and potential for fragility in case of relink failure".

So these libraries are simply not in the same scope as libcrypto, libc,
sshd, and the kernel.  For those pieces, the boot-time investment is
worth it.  I only really consider one more program worth investing in
relinking: httpd, but haven't done so yet.

Job Snijders  wrote:

> Hi all,
> 
> Would it be worth it to reorder libssl & libtls at boot?
> 
> Kind regards,
> 
> Job
> 
> Index: etc/rc
> ===
> RCS file: /cvs/src/etc/rc,v
> retrieving revision 1.571
> diff -u -p -r1.571 rc
> --- etc/rc26 Apr 2023 14:28:09 -  1.571
> +++ etc/rc17 Jun 2023 05:18:46 -
> @@ -199,7 +199,7 @@ reorder_libs() {
>   done
>  
>   # Only choose the latest version of the libraries.
> - for _liba in $_relink/usr/lib/lib{c,crypto}; do
> + for _liba in $_relink/usr/lib/lib{c,crypto,ssl,tls}; do
>   _libas="$_libas $(ls $_liba.so.+([0-9.]).a | sort -rV | head 
> -1)"
>   done
>  
> Index: lib/libssl/Makefile
> ===
> RCS file: /cvs/src/lib/libssl/Makefile,v
> retrieving revision 1.79
> diff -u -p -r1.79 Makefile
> --- lib/libssl/Makefile   5 May 2023 21:23:02 -   1.79
> +++ lib/libssl/Makefile   17 Jun 2023 05:18:46 -
> @@ -10,6 +10,7 @@ PC_FILES=openssl.pc libssl.pc
>  CLEANFILES=${PC_FILES} ${VERSION_SCRIPT}
>  
>  LIB= ssl
> +LIBREBUILD=y
>  
>  CFLAGS+= -Wall -Wundef
>  .if ${COMPILER_VERSION:L} == "clang"
> Index: lib/libtls/Makefile
> ===
> RCS file: /cvs/src/lib/libtls/Makefile,v
> retrieving revision 1.38
> diff -u -p -r1.38 Makefile
> --- lib/libtls/Makefile   5 May 2023 21:23:02 -   1.38
> +++ lib/libtls/Makefile   17 Jun 2023 05:18:46 -
> @@ -16,6 +16,7 @@ CLEANFILES= ${VERSION_SCRIPT}
>  WARNINGS= Yes
>  
>  LIB= tls
> +LIBREBUILD=y
>  
>  DPADD=   ${LIBCRYPTO} ${LIBSSL}
>  
> Index: distrib/sets/lists/base/mi
> ===
> RCS file: /cvs/src/distrib/sets/lists/base/mi,v
> retrieving revision 1.1099
> diff -u -p -r1.1099 mi
> --- distrib/sets/lists/base/mi10 Jun 2023 15:16:43 -  1.1099
> +++ distrib/sets/lists/base/mi17 Jun 2023 05:18:50 -
> @@ -3009,6 +3009,8 @@
>  ./usr/share/relink/usr/lib
>  ./usr/share/relink/usr/lib/libc.so.97.0.a
>  ./usr/share/relink/usr/lib/libcrypto.so.51.0.a
> +./usr/share/relink/usr/lib/libssl.so.54.0
> +./usr/share/relink/usr/lib/libtls.so.27.0
>  ./usr/share/relink/usr/libexec
>  ./usr/share/relink/usr/libexec/ld.so.a
>  ./usr/share/relink/usr/sbin
>