On 24.04.2015 04:54, aixtools wrote:
> Rather than wait for that to happen I decided to experiment with LibreSSL. If you are not familiar with LibreSSL - I shall be quick - openbsd (who also maintains openssh) has been cutting out insecure and/or superfluous code.
>
> One of the more insecure (because it can be a predictable source of enthropy) is RAND_egd() - so it is unavoidable that this occurs:
>
> ld: 0711-317 ERROR: Undefined symbol: .RAND_egd
>
> After patching _ssl.c to this:
> --- _ssl.c.orig 2014-06-30 02:05:42 +0000
> +++ _ssl.c 2015-04-24 02:47:00 +0000
> @@ -1604,6 +1604,7 @@
> static PyObject *
> PySSL_RAND_egd(PyObject *self, PyObject *arg)
> {
> +#ifndef LIBRESSL_VERSION_NUMBER
> int bytes;
>
> if (!PyString_Check(arg))
> @@ -1618,6 +1619,12 @@
> return NULL;
> }
> return PyInt_FromLong(bytes);
> +#else
> + PyErr_SetString(PySSLErrorObject,
> + "external EGD connection not allowed when using LibreSSL:"
> + "no data to seed the PRNG via PySSL_RAND_egd");
> + return NULL;
> +#endif
> }
>
> PyDoc_STRVAR(PySSL_RAND_egd_doc,
>
> The end result is:
> Failed to build these modules:
> _elementtree _sqlite3 bz2
> pyexpat
>
> In short, you can get ahead of the curve by depreciating/removing PySSL_RAND_egd() because any code that uses it may be receiving predictable input and thereafter everything may be predictable.
>
> If you do not believe openbsd (or me) - just read the code. It calls anything configured (handy when /dev/urandom was hard to find anno 1999) but these days a backdoor waiting to be opened.
>
> p.s. As I get time I shall continue with the other modules that do not build - just let me know if you prefer that I continue posting in this "issue", or make new one(s) for each module as I find a solution.
Please post this in a new issue, since it's really a separate one.
Thanks,
--
Marc-Andre Lemburg
eGenix.com
|