libressl: enable FAIL_INSTEAD_OF_TRYING_FALLBACK in getentropy_linux.c.

2015-12-07 11:55:43 +01:00 · 2015-12-07 11:55:43 +01:00 · 1f0e971e32
parent d26ac8be91
commit 1f0e971e32
2 changed files with 22 additions and 1 deletions
--- a/srcpkgs/libressl/patches/fail-instead-of-trying-fallback.patch
+++ b/srcpkgs/libressl/patches/fail-instead-of-trying-fallback.patch
@ -0,0 +1,21 @@
+<chris2> so, current flow for getentropy is
+<chris2> 1) use SYS_getrandom if it exists (true on glibc and musl)
+<chris2> 2) use /dev/urandom
+<chris2> 3) use sysctl (glibc only)
+<chris2> 4) use terrible fallback
+<chris2> and with a one-line patch it can instead kill itself after 3
+<chris2> so that should only affect processes running without /dev/urandom on old kernels
+<chris2> probably no harm else
+<xtraeme> +1
+
+--- crypto/compat/getentropy_linux.c.orig
+++ crypto/compat/getentropy_linux.c
+@@ -162,7 +162,7 @@
+ 	 * sysctl ABI, or consider providing a new failsafe API which
+ 	 * works in a chroot or when file descriptors are exhausted.
+ 	 */
+-#undef FAIL_INSTEAD_OF_TRYING_FALLBACK
+#define FAIL_INSTEAD_OF_TRYING_FALLBACK
+ #ifdef FAIL_INSTEAD_OF_TRYING_FALLBACK
+ 	raise(SIGKILL);
+ #endif
--- a/srcpkgs/libressl/template
+++ b/srcpkgs/libressl/template
@ -1,7 +1,7 @@
 # Template file for 'libressl'
 pkgname=libressl
 version=2.2.4
-revision=3
+revision=4
 bootstrap=yes
 build_style=gnu-configure
 short_desc="Version of the TLS/crypto stack forked from OpenSSL"