Stuart Henderson <st...@openbsd.org> writes: > On 2014/06/01 14:02, Stuart Henderson wrote: >> On 2014/05/31 13:47, Jérémie Courrèges-Anglas wrote: >> > Stuart Henderson <st...@openbsd.org> writes: >> > >> > > Awesome! We probably need to delete more lines. Not sure a good way >> > > to feed this sort of change back to upstreams though, as they *do* need >> > > this with OpenSSL. >> > >> > [...] >> > >> > I agree that more lines should be "deleted". Is this clear enough? >> >> Unless a proper autoconf check is added I think it would be better to >> just delete the lines.. As-is, reading just the patch suggests that >> upstream might have some check to define OPENSSL_RAND_HACKS that we're >> just making use of here. >> >> (outright deleting is also more likely to draw attention to any upstream >> changes in the relevant code if the port is updated, as the patch will >> then fail or warn about being applied with fuzz). >> >> > > so...it seems the comment is outdated, RAND_load_file(3) advises against > using this function.
The *LibreSSL* documentation does, the original RAND_load_file.pod doesn't advise against using it. Also our rand.pod (RAND(3)) still advertizes RAND_add and RAND_load_file (fourth paragraph of DESCRIPTION), this should probably be corrected. > I think this makes sense. OK? I think a little tweak to the comment for RAND_load_file is thus needed. Maybe something like: Remove RAND_load_file use; this function has been deprecated in libressl. "<quote from manpage>" Otherwise ok. > Index: Makefile > =================================================================== > RCS file: /cvs/ports/www/elinks/Makefile,v > retrieving revision 1.32 > diff -u -p -r1.32 Makefile > --- Makefile 10 Oct 2013 20:10:51 -0000 1.32 > +++ Makefile 2 Jun 2014 11:05:24 -0000 > @@ -2,7 +2,7 @@ > > COMMENT= full-featured text WWW browser > DISTNAME= elinks-0.11.7 > -REVISION= 7 > +REVISION= 8 > CATEGORIES= www > MASTER_SITES= http://elinks.cz/download/ > > Index: patches/patch-src_network_ssl_ssl_c > =================================================================== > RCS file: /cvs/ports/www/elinks/patches/patch-src_network_ssl_ssl_c,v > retrieving revision 1.1 > diff -u -p -r1.1 patch-src_network_ssl_ssl_c > --- patches/patch-src_network_ssl_ssl_c 19 Apr 2014 17:59:38 -0000 > 1.1 > +++ patches/patch-src_network_ssl_ssl_c 2 Jun 2014 11:05:24 -0000 > @@ -1,17 +1,30 @@ > $OpenBSD: patch-src_network_ssl_ssl_c,v 1.1 2014/04/19 17:59:38 sthen Exp $ > ---- src/network/ssl/ssl.c.orig Sat Apr 19 18:44:13 2014 > -+++ src/network/ssl/ssl.c Sat Apr 19 18:45:12 2014 > -@@ -49,11 +49,8 @@ init_openssl(struct module *module) > - * cannot initialize the PRNG and so every attempt to use SSL fails. > - * It's actually an OpenSSL FAQ, and according to them, it's up to the > - * application coders to seed the RNG. -- William Yodlowsky */ > + > +Remove RAND_egd, dangerous API has been removed in libressl. > + > +Remove RAND_load_file use; "RAND_load_file() used to allow for the state > +of the random number generator to be controlled by external sources. It > +is kept for ABI compatibility but is no longer functional, and should > +not used in new programs." > + > +--- src/network/ssl/ssl.c.orig Sat Aug 22 12:15:08 2009 > ++++ src/network/ssl/ssl.c Mon Jun 2 12:04:23 2014 > +@@ -43,18 +43,6 @@ SSL_CTX *context = NULL; > + static void > + init_openssl(struct module *module) > + { > +- unsigned char f_randfile[PATH_MAX]; > +- > +- /* In a nutshell, on OS's without a /dev/urandom, the OpenSSL library > +- * cannot initialize the PRNG and so every attempt to use SSL fails. > +- * It's actually an OpenSSL FAQ, and according to them, it's up to the > +- * application coders to seed the RNG. -- William Yodlowsky */ > - if (RAND_egd(RAND_file_name(f_randfile, sizeof(f_randfile))) < 0) { > - /* Not an EGD, so read and write to it */ > - if (RAND_load_file(f_randfile, -1)) > - RAND_write_file(f_randfile); > - } > -+ if (RAND_load_file(f_randfile, -1)) > -+ RAND_write_file(f_randfile); > - > +- > SSLeay_add_ssl_algorithms(); > context = SSL_CTX_new(SSLv23_client_method()); > + SSL_CTX_set_options(context, SSL_OP_ALL); > > -- jca | PGP : 0x1524E7EE / 5135 92C1 AD36 5293 2BDF DDCC 0DFA 74AE 1524 E7EE
