Bug 1069394 - [RFE] Enable havege functions (havege_init and havege_random)
Summary: [RFE] Enable havege functions (havege_init and havege_random)
Keywords:
Status: CLOSED WONTFIX
Alias: None
Product: Fedora
Classification: Fedora
Component: polarssl
Version: rawhide
Hardware: Unspecified
OS: Unspecified
unspecified
unspecified
Target Milestone: ---
Assignee: Orphan Owner
QA Contact: Fedora Extras Quality Assurance
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 2014-02-24 22:31 UTC by Dridi Boukelmoune
Modified: 2015-07-17 12:49 UTC (History)
5 users (show)

Fixed In Version:
Clone Of:
Environment:
Last Closed: 2015-07-17 12:49:10 UTC
Type: Bug
Embargoed:

Attachments (Terms of Use)
polarssl.havege.patch (383 bytes, patch)
2014-02-24 22:31 UTC, Dridi Boukelmoune 		no flags Details | Diff
View All

Description Dridi Boukelmoune 2014-02-24 22:31:56 UTC 
Created attachment 867162 [details]
polarssl.havege.patch

Description of problem:
I need those function for a piece of code I'm trying to build, and they're missing from the current package (despite havege.h being in polarssl-devel). I'd like to avoid maintaining parallel polarssl packages for my environment, and yes I have read the warning that comes with havege :)

Version-Release number of selected component (if applicable):
polarssl-1.2.9-1.fc19.x86_64

How reproducible:
Always

Steps to Reproduce:

$ sudo yum install polarssl-devel

$ cat test.c 
#include <polarssl/net.h>
#include <polarssl/ssl.h>
#include <polarssl/havege.h>
int main()
{
ssl_context ctx;
ssl_session session;
havege_state hs;

ssl_init(&ctx);
havege_init(&hs);
ssl_set_rng(&ctx, havege_random, &hs);
ssl_set_session(&ctx, &session);

ssl_close_notify(&ctx);
ssl_session_free(&session);
ssl_free(&ctx);

return 0;
}

$ gcc test.c -lpolarssl

Actual results:

/tmp/ccqc0Pl4.o: In function `main':
test.c:(.text+0x25): undefined reference to `havege_init'
test.c:(.text+0x38): undefined reference to `havege_random'
collect2: error: ld returned 1 exit status

Expected results:

$ ./a.out && echo ok
ok

Additional info:
Patch attached, only a sed command in %prep.
Comment 1 Mads Kiilerich 2014-02-25 23:05:25 UTC 
Meh. This HAVEGE feature is somewhat controversial and it would be misleading and would lead to security problems if it were enabled by default. That is why upstream disables it by default. I doubt we are smarter than upstream or have significantly different use cases and constraints.
Comment 2 Dridi Boukelmoune 2014-02-26 17:54:19 UTC 
Like I said, I have read the warning:
> Warning: the HAVEGE random generator is dependent on timing and specific
> processor traits. It is therefore not advised to use HAVEGE as
> your applications primary random generator or primary entropy pool
> input. As a secondary input to your entropy pool, it IS able add
> the (limited) extra entropy it provides.

There is a haveged package too:
https://apps.fedoraproject.org/packages/haveged

It is also enabled on ubuntu's libpolarssl, and I too doubt we are smarter than other distros. So please consider enabling those functions for people who might need extra entropy.
Comment 3 Jeremy Newton 2014-03-09 03:47:28 UTC 
This is a blocking issue for one of my packages... Is there a better reason for this to be blocked besides "it's not recommended"

If there is a good reason, I will need to either have an alternative package with this enabled to be submitted or a bundling exception.

Please let me know as this is a required element of the build requires
Comment 4 Jonathan Dieter 2014-05-13 17:13:34 UTC 
These functions are also required for a package that I'm working on.  If there isn't a better reason than "It's not recommended", please enable the missing functionality.
Comment 5 Nicolas Chauvet (kwizart) 2014-08-09 17:40:20 UTC 
(In reply to Mads Kiilerich from comment #1)
> Meh. This HAVEGE feature is somewhat controversial and it would be
> misleading and would lead to security problems if it were enabled by
> default. That is why upstream disables it by default. I doubt we are smarter
> than upstream or have significantly different use cases and constraints.
Do you have any upstream reference about theses statements?
Because from my foreign eyes if upstream was reluctant to enable this feature, they would simply not add the code to their repository, or even add a notice about this when the feature is enabled.
Comment 6 Jeremy Newton 2014-09-30 14:54:58 UTC 
Change to f20, as it is still an issue and f19 is approaching EOF
Comment 7 Ken Dreyer 2014-09-30 17:39:09 UTC 
Marking as FutureFeature so this doesn't get auto-closed.
Comment 8 Jonathan Dieter 2014-10-01 06:12:03 UTC 
Just a heads up that I've brought this bug to the attention of the development list as the maintainer hasn't responded to any of the questions since February.

See https://lists.fedoraproject.org/pipermail/devel/2014-October/202838.html
Comment 9 Jeremy Newton 2014-10-02 14:45:40 UTC 
(In reply to Jeremy Newton from comment #6)
> Change to f20, as it is still an issue and f19 is approaching EOF

Note that I meant to put EOL

(In reply to Jonathan Dieter from comment #8)
> Just a heads up that I've brought this bug to the attention of the
> development list as the maintainer hasn't responded to any of the questions
> since February.
> 
> See https://lists.fedoraproject.org/pipermail/devel/2014-October/202838.html

Thanks Jonathon for your help
Comment 10 Fedora Admin XMLRPC Client 2015-07-17 12:47:13 UTC 
This package has changed ownership in the Fedora Package Database.  Reassigning to the new owner of this component.
Comment 11 Morten Stevens 2015-07-17 12:49:10 UTC 
PolarSSL has been replaced by mbedtls.

# closed
Note You need to log in before you can comment on or make changes to this bug.