[issue24046] Incomplete build on AIX

Fri, 24 Apr 2015 00:47:39 -0700 

Marc-Andre Lemburg added the comment:

On 24.04.2015 04:54, aixtools wrote:
> Rather than wait for that to happen I decided to experiment with LibreSSL. If 
> you are not familiar with LibreSSL - I shall be quick - openbsd (who also 
> maintains openssh) has been cutting out insecure and/or superfluous code.
> 
> One of the more insecure (because it can be a predictable source of enthropy) 
> is RAND_egd() - so it is unavoidable that this occurs:
> 
> ld: 0711-317 ERROR: Undefined symbol: .RAND_egd
> 
> After patching _ssl.c to this:
> --- _ssl.c.orig 2014-06-30 02:05:42 +0000
> +++ _ssl.c      2015-04-24 02:47:00 +0000
> @@ -1604,6 +1604,7 @@
>  static PyObject *
>  PySSL_RAND_egd(PyObject *self, PyObject *arg)
>  {
> +#ifndef LIBRESSL_VERSION_NUMBER
>      int bytes;
>  
>      if (!PyString_Check(arg))
> @@ -1618,6 +1619,12 @@
>          return NULL;
>      }
>      return PyInt_FromLong(bytes);
> +#else
> +        PyErr_SetString(PySSLErrorObject,
> +                        "external EGD connection not allowed when using 
> LibreSSL:"
> +                        "no data to seed the PRNG via PySSL_RAND_egd");
> +        return NULL;
> +#endif
>  }
>  
>  PyDoc_STRVAR(PySSL_RAND_egd_doc,
> 
> The end result is:
> Failed to build these modules:
> _elementtree       _sqlite3           bz2             
> pyexpat 
> 
> In short, you can get ahead of the curve by depreciating/removing 
> PySSL_RAND_egd() because any code that uses it may be receiving predictable 
> input and thereafter everything may be predictable.
> 
> If you do not believe openbsd (or me) - just read the code. It calls anything 
> configured (handy when /dev/urandom was hard to find anno 1999) but these 
> days a backdoor waiting to be opened.
> 
> p.s. As I get time I shall continue with the other modules that do not build 
> - just let me know if you prefer that I continue posting in this "issue", or 
> make new one(s) for each module as I find a solution.

Please post this in a new issue, since it's really a separate one.

Thanks,
-- 
Marc-Andre Lemburg
eGenix.com

----------
nosy: +lemburg

_______________________________________
Python tracker <rep...@bugs.python.org>
<http://bugs.python.org/issue24046>
_______________________________________
_______________________________________________
Python-bugs-list mailing list
Unsubscribe: 
https://mail.python.org/mailman/options/python-bugs-list/archive%40mail-archive.com

Reply via email to