On Wed, Apr 22, 2015 at 09:29:49AM +0200, Kaspar Brand wrote:
> Sorry for having missed this in my previous review: we should also
> #ifdef the SSL_RSSRC_EGD case in
> ssl_engine_config.c:ssl_cmd_SSLRandomSeed(), to make sure that "egd:..."
> settings are not silently ignored when mod_ssl is compiled against
> LibreSSL. Either let the failure then be detected by the
> ssl_util_path_check, or (probably better) reject it similar to how it's
> done for SSLCompression, SSLHonorCipherOrder etc.
>
> Kaspar
Thanks, good catch.
Is this fine?
Index: modules/ssl/ssl_engine_config.c
===================================================================
--- modules/ssl/ssl_engine_config.c (revision 1675266)
+++ modules/ssl/ssl_engine_config.c (working copy)
@@ -574,8 +574,15 @@ const char *ssl_cmd_SSLRandomSeed(cmd_parms *cmd,
seed->cpPath = ap_server_root_relative(mc->pPool, arg2+5);
}
else if ((arg2len > 4) && strEQn(arg2, "egd:", 4)) {
+#ifdef HAVE_RAND_EGD
seed->nSrc = SSL_RSSRC_EGD;
seed->cpPath = ap_server_root_relative(mc->pPool, arg2+4);
+#else
+ return apr_pstrcat(cmd->pool, "Invalid SSLRandomSeed entropy source `",
+ arg2, "': This version of " MODSSL_LIBRARY_NAME
+ " does not support the Entropy Gathering Daemon "
+ "(EGD).", NULL);
+#endif
}
else if (strcEQ(arg2, "builtin")) {
seed->nSrc = SSL_RSSRC_BUILTIN;
