Bug 198527 - [PATCH] security/heimdal: Fix build without EGD
Summary: [PATCH] security/heimdal: Fix build without EGD
Status: Closed FIXED
Alias: None
Product: Ports & Packages
Classification: Unclassified
Component: Individual Port(s) (show other bugs)
Version: Latest
Hardware: Any Any
: --- Affects Some People
Assignee: Hiroki Sato
Keywords: patch
: 210392 (view as bug list)
Depends on:
Reported: 2015-03-11 19:48 UTC by Bernard Spil
Modified: 2016-12-10 11:11 UTC (History)
6 users (show)

See Also:
bugzilla: maintainer-feedback? (hrs)

svn diff for security/heimdal (3.21 KB, patch)
2015-03-11 19:48 UTC, Bernard Spil
no flags Details | Diff
patch for security/heimdal (4.39 KB, text/plain)
2015-04-10 12:26 UTC, Sevan Janiyan
no flags Details
svn diff for security/heimdal (7.32 KB, patch)
2015-04-10 21:07 UTC, Bernard Spil
no flags Details | Diff
svn diff for security/heimdal (2.31 KB, patch)
2015-08-14 16:18 UTC, Bernard Spil
no flags Details | Diff
Poudriere log security/heimdal (85.06 KB, application/x-gzip)
2016-02-15 10:28 UTC, Bernard Spil
no flags Details

Note You need to log in before you can comment on or make changes to this bug.
Description Bernard Spil freebsd_committer 2015-03-11 19:48:02 UTC
Created attachment 154222 [details]
svn diff for security/heimdal

heimdal unconditionally relies on RAND_egd which makes building fail with LibreSSL which has removed EGD. FreeBSD does not require EGD at all, /dev/random has been available since FreeBSD 4.2

The patch checks for the LibreSSL by looking for LIBRESSL_VERSION_NUMBER which is defined in openssl/opensslv.h and disables code that requires egd. Couldn't find a clean spot to check for RAND_egd in configure like so

AC_CHECK_LIB(crypto, RAND_egd, AC_DEFINE(HAVE_RAND_EGD, 1, [Define if the libcrypto has RAND_egd]))
Comment 1 Bernard Spil freebsd_committer 2015-03-11 19:57:35 UTC
Wanted to upstream the patch, but there's been a change in heimdal master where RAND_EGD is disabled for Windows it seems...
Comment 2 Sevan Janiyan 2015-04-10 12:26:13 UTC
Created attachment 155420 [details]
patch for security/heimdal

The attached patch integrates Bernards changes with security/heimdal and adds the autoconf check to cf/crypto which was missing in the previous diff.
Port now uses autoconf, needed to regen configure script.
Bump port rev
Comment 3 Bernard Spil freebsd_committer 2015-04-10 21:07:07 UTC
Created attachment 155435 [details]
svn diff for security/heimdal

This patch improves on the previous patch by properly detecting EGD support in configure. No need to delete EGD support from bundled heimdal crypto lib.
Comment 4 Bernard Spil freebsd_committer 2015-04-28 19:20:11 UTC
Upstream implemented this in https://github.com/heimdal/heimdal/pull/124
Comment 5 Bernard Spil freebsd_committer 2015-08-14 16:18:21 UTC
Created attachment 159861 [details]
svn diff for security/heimdal

Adapted/simplified the patch to work with the new OPENSSL_NO_EGD define that was recently added to LibreSSL's headers.
Comment 6 Bernard Spil freebsd_committer 2015-08-14 16:32:31 UTC
The file you are trying to attach is 1632 kilobytes (KB) in size. Attachments cannot be more than 1000 KB.
We recommend that you store your attachment elsewhere and then paste the URL to this file on the attachment creation page in the appropriate text field, which you can access by clicking the "paste text as attachment" link. 

So https://brnrd.eu/poudriere/data/102amd64-default/2015-08-14_18h20m12s/logs/heimdal-1.5.3_4.log should do!
Comment 7 Bernard Spil freebsd_committer 2016-02-15 10:28:28 UTC
Created attachment 167022 [details]
Poudriere log security/heimdal

Built with LibreSSL-devel 2.3.2

1634kb so gzipped

Source: https://brnrd.eu/poudriere/data/102amd64-default/2016-02-14_21h54m39s/logs/heimdal-1.5.3_4.log
Comment 8 dewayne 2016-02-29 03:05:42 UTC
Bernard, Great job getting libressl to build and the obvious effort that you have put in to getting the upstream ports/folks to accept the changes necessary to build various ports using libressl.  (per https://wiki.freebsd.org/LibreSSL and attached pages)

Is there any chance of getting the patches into security/heimdal/files as a permanent fix?  

As an aside, as EGD appears to provide no benefit on "modern" operating systems which take care of system entropy, then why not remove the unnecessary function call (RAND_egd) altogether?
Comment 9 Bernard Spil freebsd_committer 2016-02-29 10:12:35 UTC
(In reply to dewayne from comment #8)

> Is there any chance of getting the patches into security/heimdal/files as a
> permanent fix?  

This will have to be applied as a permanent fix, OpenSSL 1.1.0 also disables EGD support by default. Fortunately it uses the same OPENSSL_NO_EGD define as LibreSSL does.

I've just created the security/openssl-devel port for OpenSSL 1.1.0, see review D5484 

> As an aside, as EGD appears to provide no benefit on "modern" operating systems > which take care of system entropy, then why not remove the unnecessary function > call (RAND_egd) altogether?

Correct, but projects try to keep all options open. The #ifndef guards should suffice.
Comment 10 Zach Leslie freebsd_committer 2016-04-04 23:47:16 UTC
Thank you for the efforts.  I'm just now trying to get all my systems to use libressl and am eagerly awaiting this.
Comment 11 Bernard Spil freebsd_committer 2016-04-07 19:50:03 UTC
Upstream request https://github.com/heimdal/heimdal/pull/167
Comment 12 Bernard Spil freebsd_committer 2016-04-07 19:51:39 UTC
This is now also relevant for OpenSSL 1.1.0 which disables EGD by default at build time and defines OPENSSL_NO_EGD (like LibreSSL does)
Comment 13 Zach Leslie freebsd_committer 2016-05-27 15:00:33 UTC
Looks like upstream was merged.  Is this able to proceed?  Any other blockers?
Comment 14 Corey Halpin 2016-06-19 20:12:59 UTC
*** Bug 210392 has been marked as a duplicate of this bug. ***
Comment 15 Bernard Spil freebsd_committer 2016-07-02 12:41:31 UTC
See https://reviews.freebsd.org/D7053

Backport EGD removal from 1.6 branch
Comment 16 Bernard Spil freebsd_committer 2016-12-10 11:11:52 UTC
Closed by ports r421928