Bug 1069394

Summary: [RFE] Enable havege functions (havege_init and havege_random)
Product: [Fedora] Fedora Reporter: Dridi Boukelmoune <dridi.boukelmoune>
Component: polarsslAssignee: Orphan Owner <extras-orphan>
Status: CLOSED WONTFIX QA Contact: Fedora Extras Quality Assurance <extras-qa>
Severity: unspecified Docs Contact:
Priority: unspecified    
Version: rawhideCC: alexjnewt, ktdreyer, kwizart, mads, ms
Target Milestone: ---Keywords: FutureFeature
Target Release: ---   
Hardware: Unspecified   
OS: Unspecified   
Whiteboard:
Fixed In Version: Doc Type: Enhancement
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2015-07-17 12:49:10 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Attachments:
Description Flags
polarssl.havege.patch none

Description Dridi Boukelmoune 2014-02-24 22:31:56 UTC 
Created attachment 867162 [details]
polarssl.havege.patch

Description of problem:
I need those function for a piece of code I'm trying to build, and they're missing from the current package (despite havege.h being in polarssl-devel). I'd like to avoid maintaining parallel polarssl packages for my environment, and yes I have read the warning that comes with havege :)

Version-Release number of selected component (if applicable):
polarssl-1.2.9-1.fc19.x86_64

How reproducible:
Always

Steps to Reproduce:

$ sudo yum install polarssl-devel

$ cat test.c 
#include <polarssl/net.h>
#include <polarssl/ssl.h>
#include <polarssl/havege.h>
int main()
{
ssl_context ctx;
ssl_session session;
havege_state hs;

ssl_init(&ctx);
havege_init(&hs);
ssl_set_rng(&ctx, havege_random, &hs);
ssl_set_session(&ctx, &session);

ssl_close_notify(&ctx);
ssl_session_free(&session);
ssl_free(&ctx);

return 0;
}

$ gcc test.c -lpolarssl

Actual results:

/tmp/ccqc0Pl4.o: In function `main':
test.c:(.text+0x25): undefined reference to `havege_init'
test.c:(.text+0x38): undefined reference to `havege_random'
collect2: error: ld returned 1 exit status

Expected results:

$ ./a.out && echo ok
ok

Additional info:
Patch attached, only a sed command in %prep.
Comment 1 Mads Kiilerich 2014-02-25 23:05:25 UTC 
Meh. This HAVEGE feature is somewhat controversial and it would be misleading and would lead to security problems if it were enabled by default. That is why upstream disables it by default. I doubt we are smarter than upstream or have significantly different use cases and constraints.
Comment 2 Dridi Boukelmoune 2014-02-26 17:54:19 UTC 
Like I said, I have read the warning:
> Warning: the HAVEGE random generator is dependent on timing and specific
> processor traits. It is therefore not advised to use HAVEGE as
> your applications primary random generator or primary entropy pool
> input. As a secondary input to your entropy pool, it IS able add
> the (limited) extra entropy it provides.

There is a haveged package too:
https://apps.fedoraproject.org/packages/haveged

It is also enabled on ubuntu's libpolarssl, and I too doubt we are smarter than other distros. So please consider enabling those functions for people who might need extra entropy.
Comment 3 Jeremy Newton 2014-03-09 03:47:28 UTC 
This is a blocking issue for one of my packages... Is there a better reason for this to be blocked besides "it's not recommended"

If there is a good reason, I will need to either have an alternative package with this enabled to be submitted or a bundling exception.

Please let me know as this is a required element of the build requires
Comment 4 Jonathan Dieter 2014-05-13 17:13:34 UTC 
These functions are also required for a package that I'm working on.  If there isn't a better reason than "It's not recommended", please enable the missing functionality.
Comment 5 Nicolas Chauvet (kwizart) 2014-08-09 17:40:20 UTC 
(In reply to Mads Kiilerich from comment #1)
> Meh. This HAVEGE feature is somewhat controversial and it would be
> misleading and would lead to security problems if it were enabled by
> default. That is why upstream disables it by default. I doubt we are smarter
> than upstream or have significantly different use cases and constraints.
Do you have any upstream reference about theses statements?
Because from my foreign eyes if upstream was reluctant to enable this feature, they would simply not add the code to their repository, or even add a notice about this when the feature is enabled.
Comment 6 Jeremy Newton 2014-09-30 14:54:58 UTC 
Change to f20, as it is still an issue and f19 is approaching EOF
Comment 7 Ken Dreyer 2014-09-30 17:39:09 UTC 
Marking as FutureFeature so this doesn't get auto-closed.
Comment 8 Jonathan Dieter 2014-10-01 06:12:03 UTC 
Just a heads up that I've brought this bug to the attention of the development list as the maintainer hasn't responded to any of the questions since February.

See https://lists.fedoraproject.org/pipermail/devel/2014-October/202838.html
Comment 9 Jeremy Newton 2014-10-02 14:45:40 UTC 
(In reply to Jeremy Newton from comment #6)
> Change to f20, as it is still an issue and f19 is approaching EOF

Note that I meant to put EOL

(In reply to Jonathan Dieter from comment #8)
> Just a heads up that I've brought this bug to the attention of the
> development list as the maintainer hasn't responded to any of the questions
> since February.
> 
> See https://lists.fedoraproject.org/pipermail/devel/2014-October/202838.html

Thanks Jonathon for your help
Comment 10 Fedora Admin XMLRPC Client 2015-07-17 12:47:13 UTC 
This package has changed ownership in the Fedora Package Database.  Reassigning to the new owner of this component.
Comment 11 Morten Stevens 2015-07-17 12:49:10 UTC 
PolarSSL has been replaced by mbedtls.

# closed