Message 241908 - Python tracker

➜

This issue tracker has been migrated to GitHub, and is currently read-only.
For more information, see the GitHub FAQs in the Python's Developer Guide.

Author	aixtools@gmail.com
Recipients	aixtools@gmail.com
Date	2015-04-24.02:54:40
SpamBayes Score	-1.0
Marked as misclassified	Yes
Message-id	<1429844081.77.0.468875149896.issue24046@psf.upfronthosting.co.za>
In-reply-to

Content
Actually, I have been building and using my builds of Python, when needed for ./configure requirements for a long time. In short, it is quite nice that make "completes" even when there are missing and/or failed modules. I have just resolved the problem with ctypes not building (see https://bugs.python.org/issue6006) and that got me started to research others. Failed to build these modules: _elementtree _sqlite3 _ssl bz2 pyexpat While there are several - I am looking first at ssl. My first attempt comes up with some failed defines - probably because the latest openssl provided by IBM is openssl-1.0.0 and openssl-1.0.1 is needed. Rather than wait for that to happen I decided to experiment with LibreSSL. If you are not familiar with LibreSSL - I shall be quick - openbsd (who also maintains openssh) has been cutting out insecure and/or superfluous code. One of the more insecure (because it can be a predictable source of enthropy) is RAND_egd() - so it is unavoidable that this occurs: ld: 0711-317 ERROR: Undefined symbol: .RAND_egd After patching _ssl.c to this: --- _ssl.c.orig 2014-06-30 02:05:42 +0000 +++ _ssl.c 2015-04-24 02:47:00 +0000 @@ -1604,6 +1604,7 @@ static PyObject * PySSL_RAND_egd(PyObject self, PyObject arg) { +#ifndef LIBRESSL_VERSION_NUMBER int bytes; if (!PyString_Check(arg)) @@ -1618,6 +1619,12 @@ return NULL; } return PyInt_FromLong(bytes); +#else + PyErr_SetString(PySSLErrorObject, + "external EGD connection not allowed when using LibreSSL:" + "no data to seed the PRNG via PySSL_RAND_egd"); + return NULL; +#endif } PyDoc_STRVAR(PySSL_RAND_egd_doc, The end result is: Failed to build these modules: _elementtree _sqlite3 bz2 pyexpat In short, you can get ahead of the curve by depreciating/removing PySSL_RAND_egd() because any code that uses it may be receiving predictable input and thereafter everything may be predictable. If you do not believe openbsd (or me) - just read the code. It calls anything configured (handy when /dev/urandom was hard to find anno 1999) but these days a backdoor waiting to be opened. p.s. As I get time I shall continue with the other modules that do not build - just let me know if you prefer that I continue posting in this "issue", or make new one(s) for each module as I find a solution.

Actually, I have been building and using my builds of Python, when needed for ./configure requirements for a long time. In short, it is quite nice that make "completes" even when there are missing and/or failed modules.

I have just resolved the problem with ctypes not building (see https://bugs.python.org/issue6006) and that got me started to research others.

Failed to build these modules:
_elementtree       _sqlite3           _ssl            
bz2                pyexpat                            


While there are several - I am looking first at ssl.

My first attempt comes up with some failed defines - probably because the latest openssl provided by IBM is openssl-1.0.0 and openssl-1.0.1 is needed.

Rather than wait for that to happen I decided to experiment with LibreSSL. If you are not familiar with LibreSSL - I shall be quick - openbsd (who also maintains openssh) has been cutting out insecure and/or superfluous code.

One of the more insecure (because it can be a predictable source of enthropy) is RAND_egd() - so it is unavoidable that this occurs:

ld: 0711-317 ERROR: Undefined symbol: .RAND_egd

After patching _ssl.c to this:
--- _ssl.c.orig 2014-06-30 02:05:42 +0000
+++ _ssl.c      2015-04-24 02:47:00 +0000
@@ -1604,6 +1604,7 @@
 static PyObject *
 PySSL_RAND_egd(PyObject *self, PyObject *arg)
 {
+#ifndef LIBRESSL_VERSION_NUMBER
     int bytes;
 
     if (!PyString_Check(arg))
@@ -1618,6 +1619,12 @@
         return NULL;
     }
     return PyInt_FromLong(bytes);
+#else
+        PyErr_SetString(PySSLErrorObject,
+                        "external EGD connection not allowed when using LibreSSL:"
+                        "no data to seed the PRNG via PySSL_RAND_egd");
+        return NULL;
+#endif
 }
 
 PyDoc_STRVAR(PySSL_RAND_egd_doc,

The end result is:
Failed to build these modules:
_elementtree       _sqlite3           bz2             
pyexpat 

In short, you can get ahead of the curve by depreciating/removing PySSL_RAND_egd() because any code that uses it may be receiving predictable input and thereafter everything may be predictable.

If you do not believe openbsd (or me) - just read the code. It calls anything configured (handy when /dev/urandom was hard to find anno 1999) but these days a backdoor waiting to be opened.

p.s. As I get time I shall continue with the other modules that do not build - just let me know if you prefer that I continue posting in this "issue", or make new one(s) for each module as I find a solution.

History
Date	User	Action	Args
2015-04-24 02:54:41	aixtools@gmail.com	set	recipients: + aixtools@gmail.com
2015-04-24 02:54:41	aixtools@gmail.com	set	messageid: <1429844081.77.0.468875149896.issue24046@psf.upfronthosting.co.za>
2015-04-24 02:54:41	aixtools@gmail.com	link	issue24046 messages
2015-04-24 02:54:40	aixtools@gmail.com	create