|Summary:||[PATCH] security/heimdal: Fix build without EGD|
|Product:||Ports & Packages||Reporter:||Bernard Spil <brnrd>|
|Component:||Individual Port(s)||Assignee:||Hiroki Sato <hrs>|
|Severity:||Affects Some People||CC:||brnrd, chalpin, dewayne, igor.arabesc.pavlov, venture37, zleslie|
Description Bernard Spil 2015-03-11 19:48:02 UTC
Created attachment 154222 [details] svn diff for security/heimdal heimdal unconditionally relies on RAND_egd which makes building fail with LibreSSL which has removed EGD. FreeBSD does not require EGD at all, /dev/random has been available since FreeBSD 4.2 The patch checks for the LibreSSL by looking for LIBRESSL_VERSION_NUMBER which is defined in openssl/opensslv.h and disables code that requires egd. Couldn't find a clean spot to check for RAND_egd in configure like so AC_CHECK_LIB(crypto, RAND_egd, AC_DEFINE(HAVE_RAND_EGD, 1, [Define if the libcrypto has RAND_egd]))
Comment 1 Bernard Spil 2015-03-11 19:57:35 UTC
Wanted to upstream the patch, but there's been a change in heimdal master where RAND_EGD is disabled for Windows it seems...
Comment 2 Sevan Janiyan 2015-04-10 12:26:13 UTC
Created attachment 155420 [details] patch for security/heimdal The attached patch integrates Bernards changes with security/heimdal and adds the autoconf check to cf/crypto which was missing in the previous diff. Port now uses autoconf, needed to regen configure script. Bump port rev
Comment 3 Bernard Spil 2015-04-10 21:07:07 UTC
Created attachment 155435 [details] svn diff for security/heimdal This patch improves on the previous patch by properly detecting EGD support in configure. No need to delete EGD support from bundled heimdal crypto lib.
Comment 4 Bernard Spil 2015-04-28 19:20:11 UTC
Upstream implemented this in https://github.com/heimdal/heimdal/pull/124
Comment 5 Bernard Spil 2015-08-14 16:18:21 UTC
Created attachment 159861 [details] svn diff for security/heimdal Adapted/simplified the patch to work with the new OPENSSL_NO_EGD define that was recently added to LibreSSL's headers.
Comment 6 Bernard Spil 2015-08-14 16:32:31 UTC
The file you are trying to attach is 1632 kilobytes (KB) in size. Attachments cannot be more than 1000 KB. We recommend that you store your attachment elsewhere and then paste the URL to this file on the attachment creation page in the appropriate text field, which you can access by clicking the "paste text as attachment" link. So https://brnrd.eu/poudriere/data/102amd64-default/2015-08-14_18h20m12s/logs/heimdal-1.5.3_4.log should do!
Comment 7 Bernard Spil 2016-02-15 10:28:28 UTC
Created attachment 167022 [details] Poudriere log security/heimdal Built with LibreSSL-devel 2.3.2 1634kb so gzipped Source: https://brnrd.eu/poudriere/data/102amd64-default/2016-02-14_21h54m39s/logs/heimdal-1.5.3_4.log
Comment 8 dewayne 2016-02-29 03:05:42 UTC
Bernard, Great job getting libressl to build and the obvious effort that you have put in to getting the upstream ports/folks to accept the changes necessary to build various ports using libressl. (per https://wiki.freebsd.org/LibreSSL and attached pages) Hiroki, Is there any chance of getting the patches into security/heimdal/files as a permanent fix? As an aside, as EGD appears to provide no benefit on "modern" operating systems which take care of system entropy, then why not remove the unnecessary function call (RAND_egd) altogether?
Comment 9 Bernard Spil 2016-02-29 10:12:35 UTC
(In reply to dewayne from comment #8) > Is there any chance of getting the patches into security/heimdal/files as a > permanent fix? This will have to be applied as a permanent fix, OpenSSL 1.1.0 also disables EGD support by default. Fortunately it uses the same OPENSSL_NO_EGD define as LibreSSL does. I've just created the security/openssl-devel port for OpenSSL 1.1.0, see review D5484 > As an aside, as EGD appears to provide no benefit on "modern" operating systems > which take care of system entropy, then why not remove the unnecessary function > call (RAND_egd) altogether? Correct, but projects try to keep all options open. The #ifndef guards should suffice.
Comment 10 Zach Leslie 2016-04-04 23:47:16 UTC
Thank you for the efforts. I'm just now trying to get all my systems to use libressl and am eagerly awaiting this.
Comment 11 Bernard Spil 2016-04-07 19:50:03 UTC
Upstream request https://github.com/heimdal/heimdal/pull/167
Comment 12 Bernard Spil 2016-04-07 19:51:39 UTC
This is now also relevant for OpenSSL 1.1.0 which disables EGD by default at build time and defines OPENSSL_NO_EGD (like LibreSSL does)
Comment 13 Zach Leslie 2016-05-27 15:00:33 UTC
Looks like upstream was merged. Is this able to proceed? Any other blockers?
Comment 14 Corey Halpin 2016-06-19 20:12:59 UTC
*** Bug 210392 has been marked as a duplicate of this bug. ***
Comment 15 Bernard Spil 2016-07-02 12:41:31 UTC
See https://reviews.freebsd.org/D7053 Backport EGD removal from 1.6 branch