[Python-Dev] Re: Problem with SSL and socketmodule on Debian Potato?

Moshe Zadka moshez@zadka.site.co.il
Sat, 14 Apr 2001 03:58:38 +0300


"competing patch" attached at end.

On Fri, 13 Apr 2001, "Martin v. Loewis" <martin@loewis.home.cs.tu-berlin.de> wrote:
> > No, this seems like a worse cure then the cause...
> 
> Can you elaborate? It cures the problem of the socket module not being
> loadable...

You're right, it was a bad choice of words.
 
> AFAICT, under my patch, when using OpenSSL on a system with EGD, it
> will do the right thing. On a system with /dev/random, it will produce
> a runtime warning, then add insecure entropy - in addition to the
> secure entropy already obtained from /dev/random.
> 
> Under what I think is your patch, it will do the right thing on a
> system with /dev/random. On a system with EGD, it will fail because of
> the missing entropy.

Correct on both. My "worse" is: it would print a warning about using
an insecure method on systems with /dev/random but without an EGD,
even though it is secure. Note that the EGD stuff is new with 2.1,
so losing that is not a step backwards from 2.0. Printing a wrong warning
is a step backwards, so in that sense my patch is more conservative.
 
After further contemplation, none of these is a pure win.
It's up to Guido if he wants to use my patch instead of Martin's
for 2.1final
-- 
"I'll be ex-DPL soon anyway so I'm        |LUKE: Is Perl better than Python?
looking for someplace else to grab power."|YODA: No...no... no. Quicker,
   -- Wichert Akkerman (on debian-private)|      easier, more seductive.
For public key, finger moshez@debian.org  |http://www.{python,debian,gnu}.org


*** Modules/socketmodule.c	Sun Mar 18 18:38:50 2001
--- new	Sat Apr 14 03:53:20 2001
***************
*** 2545,2550 ****
--- 2545,2551 ----
  	if (PyDict_SetItemString(d, "SSLType",
  				 (PyObject *)&SSL_Type) != 0)
  		return;
+ #if OPENSSL_VERSION_NUMBER < 0x0090510fL
  	if (RAND_status() == 0) {
  #ifdef USE_EGD
  		char random_device[MAXPATHLEN+1];
***************
*** 2571,2576 ****
--- 2572,2578 ----
  		RAND_seed(random_string, sizeof(random_string));
  #endif /* USE_EGD */
  	}
+ #endif /* OPENSSL_VERSION_NUMBER < 0x0090510fL */
  #endif /* USE_SSL */
  	PyDict_SetItemString(d, "error", PySocket_Error);
  	PySocketSock_Type.ob_type = &PyType_Type;