[issue24046] Incomplete build on AIX

aixtools report at bugs.python.org
Fri Apr 24 04:54:41 CEST 2015 

New submission from aixtools:

Actually, I have been building and using my builds of Python, when needed for ./configure requirements for a long time. In short, it is quite nice that make "completes" even when there are missing and/or failed modules.

I have just resolved the problem with ctypes not building (see https://bugs.python.org/issue6006) and that got me started to research others.

Failed to build these modules:
_elementtree       _sqlite3           _ssl            
bz2                pyexpat                            


While there are several - I am looking first at ssl.

My first attempt comes up with some failed defines - probably because the latest openssl provided by IBM is openssl-1.0.0 and openssl-1.0.1 is needed.

Rather than wait for that to happen I decided to experiment with LibreSSL. If you are not familiar with LibreSSL - I shall be quick - openbsd (who also maintains openssh) has been cutting out insecure and/or superfluous code.

One of the more insecure (because it can be a predictable source of enthropy) is RAND_egd() - so it is unavoidable that this occurs:

ld: 0711-317 ERROR: Undefined symbol: .RAND_egd

After patching _ssl.c to this:
--- _ssl.c.orig 2014-06-30 02:05:42 +0000
+++ _ssl.c      2015-04-24 02:47:00 +0000
@@ -1604,6 +1604,7 @@
 static PyObject *
 PySSL_RAND_egd(PyObject *self, PyObject *arg)
 {
+#ifndef LIBRESSL_VERSION_NUMBER
     int bytes;
 
     if (!PyString_Check(arg))
@@ -1618,6 +1619,12 @@
         return NULL;
     }
     return PyInt_FromLong(bytes);
+#else
+        PyErr_SetString(PySSLErrorObject,
+                        "external EGD connection not allowed when using LibreSSL:"
+                        "no data to seed the PRNG via PySSL_RAND_egd");
+        return NULL;
+#endif
 }
 
 PyDoc_STRVAR(PySSL_RAND_egd_doc,

The end result is:
Failed to build these modules:
_elementtree       _sqlite3           bz2             
pyexpat 

In short, you can get ahead of the curve by depreciating/removing PySSL_RAND_egd() because any code that uses it may be receiving predictable input and thereafter everything may be predictable.

If you do not believe openbsd (or me) - just read the code. It calls anything configured (handy when /dev/urandom was hard to find anno 1999) but these days a backdoor waiting to be opened.

p.s. As I get time I shall continue with the other modules that do not build - just let me know if you prefer that I continue posting in this "issue", or make new one(s) for each module as I find a solution.

----------
components: Extension Modules
messages: 241908
nosy: aixtools at gmail.com
priority: normal
severity: normal
status: open
title: Incomplete build on AIX
type: compile error
versions: Python 2.7

_______________________________________
Python tracker <report at bugs.python.org>
<http://bugs.python.org/issue24046>
_______________________________________

More information about the Python-bugs-list mailing list