From: Jim Jagielski <jim@apache.org>
Date: Wed, 13 May 2015 12:48:13 +0000 (+0000)
Subject: Merge r1674542, r1675410, r1676842 from trunk:
X-Git-Tag: 2.4.13~105
X-Git-Url: https://granicus.if.org/sourcecode?a=commitdiff_plain;h=429a4ba7e5239f9b8b9f97a1d2b18ada35c4dd9a;p=apache

Merge r1674542, r1675410, r1676842 from trunk:

mod_ssl: Check for RAND_egd() at configure time and only use it if present.
Fixes the build with LibreSSL which does not provide this function.

Submitted by: Bernard Spil <pil.oss gmail com>, stsp
Committed by: stsp


mod_ssl: Make the config parser complain if SSLRandomSeed specifies
the Entropy Gathering Daemon (EGD) as source while the underlying
SSL library does not support EGD (e.g. in case of LibreSSL).

Suggested and reviewed by: kbrand


Follow up to r1674542 and r1675410: CHANGES entry.
Submitted by: stsp, ylavic
Reviewed/backported by: jim


git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/branches/2.4.x@1679199 13f79535-47bb-0310-9956-ffa450edef68
---

diff --git a/CHANGES b/CHANGES
index c1b3a469f6..cdba0c535e 100644
--- a/CHANGES
+++ b/CHANGES
@@ -34,6 +34,11 @@ Changes with Apache 2.4.13
   *) mod_status: Add more data to machine readable server-status produced
      when using the "?auto" query string.  [Rainer Jung]
 
+  *) mod_ssl: Check for the Entropy Gathering Daemon (EGD) availability at
+     configure time (RAND_egd), and complain if SSLRandomSeed requires using
+     it otherwise.  [Bernard Spil <pil.oss gmail com>, Stefan Sperling,
+     Kaspar Brand]
+
   *) mod_ssl: make sure to consistently output SSLCertificateChainFile
      deprecation warnings, when encountered in a VirtualHost block.
      [Falco Schwarz <hiding falco.me>]
diff --git a/STATUS b/STATUS
index 64a58e63ca..4711a4c266 100644
--- a/STATUS
+++ b/STATUS
@@ -105,15 +105,6 @@ RELEASE SHOWSTOPPERS:
 PATCHES ACCEPTED TO BACKPORT FROM TRUNK:
   [ start all new proposals below, under PATCHES PROPOSED. ]
 
-  *) mod_ssl: Check for the Entropy Gathering Daemon (EGD) availability at
-     configure time (RAND_egd), and complain if SSLRandomSeed requires using
-     it otherwise.
-     trunk patch: http://svn.apache.org/r1674542
-                  http://svn.apache.org/r1675410
-                  http://svn.apache.org/r1676842
-     2.4.x patch: trunk works (modulo CHANGES)
-     +1: ylavic, trawick, rjung
-
 
 
 PATCHES PROPOSED TO BACKPORT FROM TRUNK:
diff --git a/acinclude.m4 b/acinclude.m4
index 6fa6382613..d94f8aae6f 100644
--- a/acinclude.m4
+++ b/acinclude.m4
@@ -576,7 +576,7 @@ AC_DEFUN(APACHE_CHECK_OPENSSL,[
       liberrors=""
       AC_CHECK_HEADERS([openssl/engine.h])
       AC_CHECK_FUNCS([SSLeay_version SSL_CTX_new], [], [liberrors="yes"])
-      AC_CHECK_FUNCS([ENGINE_init ENGINE_load_builtin_engines])
+      AC_CHECK_FUNCS([ENGINE_init ENGINE_load_builtin_engines RAND_egd])
       if test "x$liberrors" != "x"; then
         AC_MSG_WARN([OpenSSL libraries are unusable])
       fi
diff --git a/modules/ssl/ssl_engine_config.c b/modules/ssl/ssl_engine_config.c
index 0d4e661d5d..756ff227b5 100644
--- a/modules/ssl/ssl_engine_config.c
+++ b/modules/ssl/ssl_engine_config.c
@@ -606,8 +606,15 @@ const char *ssl_cmd_SSLRandomSeed(cmd_parms *cmd,
         seed->cpPath = ap_server_root_relative(mc->pPool, arg2+5);
     }
     else if ((arg2len > 4) && strEQn(arg2, "egd:", 4)) {
+#ifdef HAVE_RAND_EGD
         seed->nSrc   = SSL_RSSRC_EGD;
         seed->cpPath = ap_server_root_relative(mc->pPool, arg2+4);
+#else
+        return apr_pstrcat(cmd->pool, "Invalid SSLRandomSeed entropy source `",
+                           arg2, "': This version of " MODSSL_LIBRARY_NAME
+                           " does not support the Entropy Gathering Daemon "
+                           "(EGD).", NULL);
+#endif
     }
     else if (strcEQ(arg2, "builtin")) {
         seed->nSrc   = SSL_RSSRC_BUILTIN;
diff --git a/modules/ssl/ssl_engine_rand.c b/modules/ssl/ssl_engine_rand.c
index df25d8fd63..4e1a9c1cda 100644
--- a/modules/ssl/ssl_engine_rand.c
+++ b/modules/ssl/ssl_engine_rand.c
@@ -81,6 +81,7 @@ int ssl_rand_seed(server_rec *s, apr_pool_t *p, ssl_rsctx_t nCtx, char *prefix)
                 nDone += ssl_rand_feedfp(p, fp, pRandSeed->nBytes);
                 ssl_util_ppclose(s, p, fp);
             }
+#ifdef HAVE_RAND_EGD
             else if (pRandSeed->nSrc == SSL_RSSRC_EGD) {
                 /*
                  * seed in contents provided by the external
@@ -90,6 +91,7 @@ int ssl_rand_seed(server_rec *s, apr_pool_t *p, ssl_rsctx_t nCtx, char *prefix)
                     continue;
                 nDone += n;
             }
+#endif
             else if (pRandSeed->nSrc == SSL_RSSRC_BUILTIN) {
                 struct {
                     time_t t;