Bug 1409291

Summary: radcli: improper getentropy fallback
Product: [Fedora] Fedora Reporter: Florian Weimer <fweimer>
Component: radcliAssignee: Nikos Mavrogiannopoulos <nmavrogi>
Status: CLOSED ERRATA QA Contact: Fedora Extras Quality Assurance <extras-qa>
Severity: unspecified Docs Contact:
Priority: unspecified    
Version: rawhideCC: nmavrogi
Target Milestone: ---   
Target Release: ---   
Hardware: Unspecified   
OS: Unspecified   
Whiteboard:
Fixed In Version: radcli-1.2.7-2.fc25 Doc Type: If docs needed, set a value
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2017-01-10 13:21:13 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:

Description Florian Weimer 2016-12-31 08:51:36 UTC 
Due to the definition of getentropy by glibc, the /dev/urandom code is no longer compiled in:

/** Generates a random vector of AUTH_VECTOR_LEN octets
 *
 * @param vector a buffer with at least %AUTH_VECTOR_LEN bytes.
 */
static void rc_random_vector(unsigned char *vector)
{
        int randno;
        int i;
#if defined(HAVE_GETENTROPY)
        if (getentropy(vector, AUTH_VECTOR_LEN) >= 0) {
                return;
        }                       /* else fall through */
#elif defined(HAVE_DEV_URANDOM)
…
#endif
 fallback:
        for (i = 0; i < AUTH_VECTOR_LEN;) {
                randno = random();
                memcpy((char *)vector, (char *)&randno, sizeof(int));
                vector += sizeof(int);
                i += sizeof(int);
        }

        return;
}

This means that radcli will use non-random bytes when radcli is run on older kernels (which is supported by Fedora).
Comment 1 Nikos Mavrogiannopoulos 2017-01-02 07:46:54 UTC 
I do not think we should push for userspace to auto-detect the kernel subsystem for providing random numbers. Shouldn't instead require the fedora release with that change to specify the minimum kernel it can run with?
Comment 2 Nikos Mavrogiannopoulos 2017-01-02 07:47:45 UTC 
A work-around for radcli in fedora could be the following:
https://github.com/radcli/radcli/commit/7dd5af227d7b10e7eb3b5cb103adf24f44bcbad6
Comment 3 Florian Weimer 2017-01-02 07:52:48 UTC 
(In reply to Nikos Mavrogiannopoulos from comment #1)
> I do not think we should push for userspace to auto-detect the kernel
> subsystem for providing random numbers. Shouldn't instead require the fedora
> release with that change to specify the minimum kernel it can run with?

I was recently told that Fedora userland has to work on kernels from other other distributions:

https://lists.fedoraproject.org/archives/list/devel@lists.fedoraproject.org/thread/7BE66WZB64C3ECJ4NOGGRU5M7GBHGYKD/
Comment 4 Fedora Update System 2017-01-02 09:08:41 UTC 
radcli-1.2.7-2.fc25 has been submitted as an update to Fedora 25. https://bodhi.fedoraproject.org/updates/FEDORA-2017-e435c2abd9
Comment 5 Fedora Update System 2017-01-02 20:48:07 UTC 
radcli-1.2.7-2.fc25 has been pushed to the Fedora 25 testing repository. If problems still persist, please make note of it in this bug report.
See https://fedoraproject.org/wiki/QA:Updates_Testing for
instructions on how to install test updates.
You can provide feedback for this update here: https://bodhi.fedoraproject.org/updates/FEDORA-2017-e435c2abd9
Comment 6 Fedora Update System 2017-01-10 13:21:13 UTC 
radcli-1.2.7-2.fc25 has been pushed to the Fedora 25 stable repository. If problems still persist, please make note of it in this bug report.