On 2014/06/01 14:02, Stuart Henderson wrote: > On 2014/05/31 13:47, Jérémie Courrèges-Anglas wrote: > > Stuart Henderson <st...@openbsd.org> writes: > > > > > Awesome! We probably need to delete more lines. Not sure a good way > > > to feed this sort of change back to upstreams though, as they *do* need > > > this with OpenSSL. > > > > [...] > > > > I agree that more lines should be "deleted". Is this clear enough? > > Unless a proper autoconf check is added I think it would be better to > just delete the lines.. As-is, reading just the patch suggests that > upstream might have some check to define OPENSSL_RAND_HACKS that we're > just making use of here. > > (outright deleting is also more likely to draw attention to any upstream > changes in the relevant code if the port is updated, as the patch will > then fail or warn about being applied with fuzz). > >
so...it seems the comment is outdated, RAND_load_file(3) advises against using this function. I think this makes sense. OK? Index: Makefile =================================================================== RCS file: /cvs/ports/www/elinks/Makefile,v retrieving revision 1.32 diff -u -p -r1.32 Makefile --- Makefile 10 Oct 2013 20:10:51 -0000 1.32 +++ Makefile 2 Jun 2014 11:05:24 -0000 @@ -2,7 +2,7 @@ COMMENT= full-featured text WWW browser DISTNAME= elinks-0.11.7 -REVISION= 7 +REVISION= 8 CATEGORIES= www MASTER_SITES= http://elinks.cz/download/ Index: patches/patch-src_network_ssl_ssl_c =================================================================== RCS file: /cvs/ports/www/elinks/patches/patch-src_network_ssl_ssl_c,v retrieving revision 1.1 diff -u -p -r1.1 patch-src_network_ssl_ssl_c --- patches/patch-src_network_ssl_ssl_c 19 Apr 2014 17:59:38 -0000 1.1 +++ patches/patch-src_network_ssl_ssl_c 2 Jun 2014 11:05:24 -0000 @@ -1,17 +1,30 @@ $OpenBSD: patch-src_network_ssl_ssl_c,v 1.1 2014/04/19 17:59:38 sthen Exp $ ---- src/network/ssl/ssl.c.orig Sat Apr 19 18:44:13 2014 -+++ src/network/ssl/ssl.c Sat Apr 19 18:45:12 2014 -@@ -49,11 +49,8 @@ init_openssl(struct module *module) - * cannot initialize the PRNG and so every attempt to use SSL fails. - * It's actually an OpenSSL FAQ, and according to them, it's up to the - * application coders to seed the RNG. -- William Yodlowsky */ + +Remove RAND_egd, dangerous API has been removed in libressl. + +Remove RAND_load_file use; "RAND_load_file() used to allow for the state +of the random number generator to be controlled by external sources. It +is kept for ABI compatibility but is no longer functional, and should +not used in new programs." + +--- src/network/ssl/ssl.c.orig Sat Aug 22 12:15:08 2009 ++++ src/network/ssl/ssl.c Mon Jun 2 12:04:23 2014 +@@ -43,18 +43,6 @@ SSL_CTX *context = NULL; + static void + init_openssl(struct module *module) + { +- unsigned char f_randfile[PATH_MAX]; +- +- /* In a nutshell, on OS's without a /dev/urandom, the OpenSSL library +- * cannot initialize the PRNG and so every attempt to use SSL fails. +- * It's actually an OpenSSL FAQ, and according to them, it's up to the +- * application coders to seed the RNG. -- William Yodlowsky */ - if (RAND_egd(RAND_file_name(f_randfile, sizeof(f_randfile))) < 0) { - /* Not an EGD, so read and write to it */ - if (RAND_load_file(f_randfile, -1)) - RAND_write_file(f_randfile); - } -+ if (RAND_load_file(f_randfile, -1)) -+ RAND_write_file(f_randfile); - +- SSLeay_add_ssl_algorithms(); context = SSL_CTX_new(SSLv23_client_method()); + SSL_CTX_set_options(context, SSL_OP_ALL);