Bug 1409291 - radcli: improper getentropy fallback
Summary: radcli: improper getentropy fallback
Keywords:
Status: CLOSED ERRATA
Alias: None
Product: Fedora
Classification: Fedora
Component: radcli
Version: rawhide
Hardware: Unspecified
OS: Unspecified
unspecified
unspecified
Target Milestone: ---
Assignee: Nikos Mavrogiannopoulos
QA Contact: Fedora Extras Quality Assurance
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 2016-12-31 08:51 UTC by Florian Weimer
Modified: 2017-01-10 13:21 UTC (History)
1 user (show)

Fixed In Version: radcli-1.2.7-2.fc25
Doc Type: If docs needed, set a value
Doc Text:
Clone Of:
Environment:
Last Closed: 2017-01-10 13:21:13 UTC
Type: Bug
Embargoed:

Attachments (Terms of Use)

Description Florian Weimer 2016-12-31 08:51:36 UTC 
Due to the definition of getentropy by glibc, the /dev/urandom code is no longer compiled in:

/** Generates a random vector of AUTH_VECTOR_LEN octets
 *
 * @param vector a buffer with at least %AUTH_VECTOR_LEN bytes.
 */
static void rc_random_vector(unsigned char *vector)
{
        int randno;
        int i;
#if defined(HAVE_GETENTROPY)
        if (getentropy(vector, AUTH_VECTOR_LEN) >= 0) {
                return;
        }                       /* else fall through */
#elif defined(HAVE_DEV_URANDOM)
…
#endif
 fallback:
        for (i = 0; i < AUTH_VECTOR_LEN;) {
                randno = random();
                memcpy((char *)vector, (char *)&randno, sizeof(int));
                vector += sizeof(int);
                i += sizeof(int);
        }

        return;
}

This means that radcli will use non-random bytes when radcli is run on older kernels (which is supported by Fedora).
Comment 1 Nikos Mavrogiannopoulos 2017-01-02 07:46:54 UTC 
I do not think we should push for userspace to auto-detect the kernel subsystem for providing random numbers. Shouldn't instead require the fedora release with that change to specify the minimum kernel it can run with?
Comment 2 Nikos Mavrogiannopoulos 2017-01-02 07:47:45 UTC 
A work-around for radcli in fedora could be the following:
https://github.com/radcli/radcli/commit/7dd5af227d7b10e7eb3b5cb103adf24f44bcbad6
Comment 3 Florian Weimer 2017-01-02 07:52:48 UTC 
(In reply to Nikos Mavrogiannopoulos from comment #1)
> I do not think we should push for userspace to auto-detect the kernel
> subsystem for providing random numbers. Shouldn't instead require the fedora
> release with that change to specify the minimum kernel it can run with?

I was recently told that Fedora userland has to work on kernels from other other distributions:

https://lists.fedoraproject.org/archives/list/devel@lists.fedoraproject.org/thread/7BE66WZB64C3ECJ4NOGGRU5M7GBHGYKD/
Comment 4 Fedora Update System 2017-01-02 09:08:41 UTC 
radcli-1.2.7-2.fc25 has been submitted as an update to Fedora 25. https://bodhi.fedoraproject.org/updates/FEDORA-2017-e435c2abd9
Comment 5 Fedora Update System 2017-01-02 20:48:07 UTC 
radcli-1.2.7-2.fc25 has been pushed to the Fedora 25 testing repository. If problems still persist, please make note of it in this bug report.
See https://fedoraproject.org/wiki/QA:Updates_Testing for
instructions on how to install test updates.
You can provide feedback for this update here: https://bodhi.fedoraproject.org/updates/FEDORA-2017-e435c2abd9
Comment 6 Fedora Update System 2017-01-10 13:21:13 UTC 
radcli-1.2.7-2.fc25 has been pushed to the Fedora 25 stable repository. If problems still persist, please make note of it in this bug report.
Note You need to log in before you can comment on or make changes to this bug.