Bug 1118462 - [RFE] Heimdal bundles libtommath
Summary: [RFE] Heimdal bundles libtommath
Alias: None
Product: Fedora
Classification: Fedora
Component: heimdal
Version: rawhide
Hardware: Unspecified
OS: Unspecified
Target Milestone: ---
Assignee: Ken Dreyer
QA Contact: Fedora Extras Quality Assurance
Depends On:
Blocks: DuplicSysLibsTracker
TreeView+ depends on / blocked
Reported: 2014-07-10 18:48 UTC by Ken Dreyer
Modified: 2015-05-02 20:09 UTC (History)
1 user (show)

Fixed In Version:
Doc Type: Enhancement
Doc Text:
Clone Of:
Last Closed:

Attachments (Terms of Use)

Description Ken Dreyer 2014-07-10 18:48:45 UTC
Heimdal bundles libtommath. The FPC passed a bundling exception here: https://fedorahosted.org/fpc/ticket/387

Comment 1 Ken Dreyer 2014-07-10 18:54:05 UTC
Originally I thought we would be able to build Heimdal with the OpenSSL backend which would avoid the dependency on libtommath.

As explained by Jeff Altman (one of the upstream Heimdal developers) in https://admin.fedoraproject.org/updates/FEDORA-2014-7925/heimdal-1.6.0-0.7.20140621gita5adc06.fc20 , we are going to have to revert to the hcrypto backend. I will quote Jeff's Bodhi feedback here, with formatting:

  This Heimdal package was built with OpenSSL --with-openssl=/usr

  The problem with using OpenSSL for Heimdal is that it is not thread safe.
  OpenSSL thread safety is dependent upon the application providing a set of
  callback functions to create, lock, unlock, and destroy mutex objects. As
  a library, Heimdal is unable to safely establish those callback routines
  and so all CRYPTO_r_lock() and CRYPTO_w_lock() operations within OpenSSL's
  libcrypto become no-ops. These lock operations are required to protect
  OpenSSL's crypto routines, the error handling, memory allocation, random
  number generator, and more. Heimdal is only safe to build against OpenSSL
  when one of the following is true:

    1. It is built single threaded
    2. It is linked to an application that is aware of OpenSSL, links to
       OpenSSL, and registers the appropriate callbacks.

  Heimdal provides its own crypto library, libhcrypto, which is thread safe
  and is built against its own version of libtommath which is modified to
  reduce the risk of information leakage based upon computation timing
  attacks. Please package Heimdal using the built-in hcrypto library or
  contribute an hcrypto wrapper around another crypto library (NSS?) which
  is thread-safe without callbacks.

Since the OpenSSL backend is not as safe as I had hoped, I have made the switch back to hcrypto in heimdal-1.6.0-0.9.20140621gita5adc06 (http://pkgs.fedoraproject.org/cgit/heimdal.git/commit/?id=6506dba571b789ee4a0eff5b5b89e03449d9b024)

Comment 2 Jaroslav Reznik 2015-03-03 17:02:48 UTC
This bug appears to have been reported against 'rawhide' during the Fedora 22 development cycle.
Changing version to '22'.

More information and reason for this action is here:

Note You need to log in before you can comment on or make changes to this bug.