➜
This issue tracker has been migrated to GitHub,
and is currently read-only.
For more information,
see the GitHub FAQs in the Python's Developer Guide.
Created on 2015-04-24 02:54 by aixtools@gmail.com, last changed 2022-04-11 14:58 by admin. This issue is now closed.
| Messages (5) | |||
|---|---|---|---|
| msg241908 - (view) | Author: Michael Felt (aixtools@gmail.com) | Date: 2015-04-24 02:54 | |
Actually, I have been building and using my builds of Python, when needed for ./configure requirements for a long time. In short, it is quite nice that make "completes" even when there are missing and/or failed modules. I have just resolved the problem with ctypes not building (see https://bugs.python.org/issue6006) and that got me started to research others. Failed to build these modules: _elementtree _sqlite3 _ssl bz2 pyexpat While there are several - I am looking first at ssl. My first attempt comes up with some failed defines - probably because the latest openssl provided by IBM is openssl-1.0.0 and openssl-1.0.1 is needed. Rather than wait for that to happen I decided to experiment with LibreSSL. If you are not familiar with LibreSSL - I shall be quick - openbsd (who also maintains openssh) has been cutting out insecure and/or superfluous code. One of the more insecure (because it can be a predictable source of enthropy) is RAND_egd() - so it is unavoidable that this occurs: ld: 0711-317 ERROR: Undefined symbol: .RAND_egd After patching _ssl.c to this: --- _ssl.c.orig 2014-06-30 02:05:42 +0000 +++ _ssl.c 2015-04-24 02:47:00 +0000 @@ -1604,6 +1604,7 @@ static PyObject * PySSL_RAND_egd(PyObject *self, PyObject *arg) { +#ifndef LIBRESSL_VERSION_NUMBER int bytes; if (!PyString_Check(arg)) @@ -1618,6 +1619,12 @@ return NULL; } return PyInt_FromLong(bytes); +#else + PyErr_SetString(PySSLErrorObject, + "external EGD connection not allowed when using LibreSSL:" + "no data to seed the PRNG via PySSL_RAND_egd"); + return NULL; +#endif } PyDoc_STRVAR(PySSL_RAND_egd_doc, The end result is: Failed to build these modules: _elementtree _sqlite3 bz2 pyexpat In short, you can get ahead of the curve by depreciating/removing PySSL_RAND_egd() because any code that uses it may be receiving predictable input and thereafter everything may be predictable. If you do not believe openbsd (or me) - just read the code. It calls anything configured (handy when /dev/urandom was hard to find anno 1999) but these days a backdoor waiting to be opened. p.s. As I get time I shall continue with the other modules that do not build - just let me know if you prefer that I continue posting in this "issue", or make new one(s) for each module as I find a solution. |
|||
| msg241921 - (view) | Author: Marc-Andre Lemburg (lemburg) *  |
Date: 2015-04-24 07:47 | |
On 24.04.2015 04:54, aixtools wrote:
> Rather than wait for that to happen I decided to experiment with LibreSSL. If you are not familiar with LibreSSL - I shall be quick - openbsd (who also maintains openssh) has been cutting out insecure and/or superfluous code.
>
> One of the more insecure (because it can be a predictable source of enthropy) is RAND_egd() - so it is unavoidable that this occurs:
>
> ld: 0711-317 ERROR: Undefined symbol: .RAND_egd
>
> After patching _ssl.c to this:
> --- _ssl.c.orig 2014-06-30 02:05:42 +0000
> +++ _ssl.c 2015-04-24 02:47:00 +0000
> @@ -1604,6 +1604,7 @@
> static PyObject *
> PySSL_RAND_egd(PyObject *self, PyObject *arg)
> {
> +#ifndef LIBRESSL_VERSION_NUMBER
> int bytes;
>
> if (!PyString_Check(arg))
> @@ -1618,6 +1619,12 @@
> return NULL;
> }
> return PyInt_FromLong(bytes);
> +#else
> + PyErr_SetString(PySSLErrorObject,
> + "external EGD connection not allowed when using LibreSSL:"
> + "no data to seed the PRNG via PySSL_RAND_egd");
> + return NULL;
> +#endif
> }
>
> PyDoc_STRVAR(PySSL_RAND_egd_doc,
>
> The end result is:
> Failed to build these modules:
> _elementtree _sqlite3 bz2
> pyexpat
>
> In short, you can get ahead of the curve by depreciating/removing PySSL_RAND_egd() because any code that uses it may be receiving predictable input and thereafter everything may be predictable.
>
> If you do not believe openbsd (or me) - just read the code. It calls anything configured (handy when /dev/urandom was hard to find anno 1999) but these days a backdoor waiting to be opened.
>
> p.s. As I get time I shall continue with the other modules that do not build - just let me know if you prefer that I continue posting in this "issue", or make new one(s) for each module as I find a solution.
Please post this in a new issue, since it's really a separate one.
Thanks,
--
Marc-Andre Lemburg
eGenix.com
|
|||
| msg248764 - (view) | Author: REIX Tony (trex58) | Date: 2015-08-18 09:30 | |
Fresh openssl versions are now available for AIX: 1.0.1p and 1.0.2d . See: http://www.bullfreeware.com/search.php?package=openssl |
|||
| msg380949 - (view) | Author: Kevin (kadler) * | Date: 2020-11-14 00:59 | |
Looks like RAND_egd was made optional in https://bugs.python.org/issue21356 Can this issue be closed? |
|||
| msg411395 - (view) | Author: Irit Katriel (iritkatriel) * |
Date: 2022-01-23 18:34 | |
2.7 is no longer maintained. Please create new issues for build problems on current versions (>= 3.9). |
|||
| History | |||
|---|---|---|---|
| Date | User | Action | Args |
| 2022-04-11 14:58:16 | admin | set | github: 68234 |
| 2022-01-23 18:34:02 | iritkatriel | set | status: open -> closed nosy: + iritkatriel messages: + msg411395 resolution: out of date stage: resolved |
| 2020-11-14 00:59:01 | kadler | set | nosy:
+ kadler messages: + msg380949 |
| 2015-08-18 09:30:10 | trex58 | set | nosy:
+ trex58 messages: + msg248764 |
| 2015-04-24 07:47:02 | lemburg | set | nosy:
+ lemburg messages: + msg241921 |
| 2015-04-24 05:41:44 | serhiy.storchaka | set | nosy:
+ janssen, pitrou, giampaolo.rodola, christian.heimes, alex, dstufft, David.Edelsohn |
| 2015-04-24 02:54:41 | aixtools@gmail.com | create | |