Heimdal bundles libtommath. The FPC passed a bundling exception here: https://fedorahosted.org/fpc/ticket/387
Originally I thought we would be able to build Heimdal with the OpenSSL backend which would avoid the dependency on libtommath.
As explained by Jeff Altman (one of the upstream Heimdal developers) in https://admin.fedoraproject.org/updates/FEDORA-2014-7925/heimdal-1.6.0-0.7.20140621gita5adc06.fc20 , we are going to have to revert to the hcrypto backend. I will quote Jeff's Bodhi feedback here, with formatting:
This Heimdal package was built with OpenSSL --with-openssl=/usr
The problem with using OpenSSL for Heimdal is that it is not thread safe.
OpenSSL thread safety is dependent upon the application providing a set of
callback functions to create, lock, unlock, and destroy mutex objects. As
a library, Heimdal is unable to safely establish those callback routines
and so all CRYPTO_r_lock() and CRYPTO_w_lock() operations within OpenSSL's
libcrypto become no-ops. These lock operations are required to protect
OpenSSL's crypto routines, the error handling, memory allocation, random
number generator, and more. Heimdal is only safe to build against OpenSSL
when one of the following is true:
1. It is built single threaded
2. It is linked to an application that is aware of OpenSSL, links to
OpenSSL, and registers the appropriate callbacks.
Heimdal provides its own crypto library, libhcrypto, which is thread safe
and is built against its own version of libtommath which is modified to
reduce the risk of information leakage based upon computation timing
attacks. Please package Heimdal using the built-in hcrypto library or
contribute an hcrypto wrapper around another crypto library (NSS?) which
is thread-safe without callbacks.
Since the OpenSSL backend is not as safe as I had hoped, I have made the switch back to hcrypto in heimdal-1.6.0-0.9.20140621gita5adc06 (http://pkgs.fedoraproject.org/cgit/heimdal.git/commit/?id=6506dba571b789ee4a0eff5b5b89e03449d9b024)
This bug appears to have been reported against 'rawhide' during the Fedora 22 development cycle.
Changing version to '22'.
More information and reason for this action is here: