Accepting request 49430 from security
Copy from security/haveged based on submit request 49430 from user elvigia OBS-URL: https://build.opensuse.org/request/show/49430 OBS-URL: https://build.opensuse.org/package/show/openSUSE:Factory/haveged?expand=0&rev=1
This commit is contained in:
commit
7be6390a5a
23
.gitattributes
vendored
Normal file
23
.gitattributes
vendored
Normal file
@ -0,0 +1,23 @@
|
||||
## Default LFS
|
||||
*.7z filter=lfs diff=lfs merge=lfs -text
|
||||
*.bsp filter=lfs diff=lfs merge=lfs -text
|
||||
*.bz2 filter=lfs diff=lfs merge=lfs -text
|
||||
*.gem filter=lfs diff=lfs merge=lfs -text
|
||||
*.gz filter=lfs diff=lfs merge=lfs -text
|
||||
*.jar filter=lfs diff=lfs merge=lfs -text
|
||||
*.lz filter=lfs diff=lfs merge=lfs -text
|
||||
*.lzma filter=lfs diff=lfs merge=lfs -text
|
||||
*.obscpio filter=lfs diff=lfs merge=lfs -text
|
||||
*.oxt filter=lfs diff=lfs merge=lfs -text
|
||||
*.pdf filter=lfs diff=lfs merge=lfs -text
|
||||
*.png filter=lfs diff=lfs merge=lfs -text
|
||||
*.rpm filter=lfs diff=lfs merge=lfs -text
|
||||
*.tbz filter=lfs diff=lfs merge=lfs -text
|
||||
*.tbz2 filter=lfs diff=lfs merge=lfs -text
|
||||
*.tgz filter=lfs diff=lfs merge=lfs -text
|
||||
*.ttf filter=lfs diff=lfs merge=lfs -text
|
||||
*.txz filter=lfs diff=lfs merge=lfs -text
|
||||
*.whl filter=lfs diff=lfs merge=lfs -text
|
||||
*.xz filter=lfs diff=lfs merge=lfs -text
|
||||
*.zip filter=lfs diff=lfs merge=lfs -text
|
||||
*.zst filter=lfs diff=lfs merge=lfs -text
|
1
.gitignore
vendored
Normal file
1
.gitignore
vendored
Normal file
@ -0,0 +1 @@
|
||||
.osc
|
68
haveged-0.9-cloexec.patch
Normal file
68
haveged-0.9-cloexec.patch
Normal file
@ -0,0 +1,68 @@
|
||||
Index: src/haveged.c
|
||||
===================================================================
|
||||
--- src/haveged.c.orig 2009-09-02 18:58:14.000000000 +0200
|
||||
+++ src/haveged.c 2010-07-26 17:14:35.334236000 +0200
|
||||
@@ -83,7 +83,7 @@ void daemonize(struct hperf *perf)
|
||||
signal(SIGTERM, tidy_exit);
|
||||
if (daemon(0, 0) == -1)
|
||||
error_exit("Cannot fork into the background");
|
||||
- fh = fopen(params->pid_file, "w");
|
||||
+ fh = fopen(params->pid_file, "we");
|
||||
if (!fh)
|
||||
error_exit("Couldn't open PID file \"%s\" for writing: %m.", params->pid_file);
|
||||
fprintf(fh, "%i", getpid());
|
||||
@@ -147,12 +147,12 @@ int get_poolsize()
|
||||
int max_bits,major,minor;
|
||||
|
||||
if (params->run_level==0) {
|
||||
- poolsize_fh = fopen(params->poolsize, "rb");
|
||||
+ poolsize_fh = fopen(params->poolsize, "rbe");
|
||||
if (poolsize_fh) {
|
||||
if (fscanf(poolsize_fh, "%d", &max_bits)!=1)
|
||||
max_bits = -1;
|
||||
fclose(poolsize_fh);
|
||||
- osrel_fh = fopen(params->os_rel, "rb");
|
||||
+ osrel_fh = fopen(params->os_rel, "rbe");
|
||||
if (osrel_fh) {
|
||||
if (fscanf(osrel_fh,"%d.%d", &major, &minor)<2)
|
||||
major = minor = 0;
|
||||
@@ -263,7 +263,7 @@ void run(int poolsize, struct rand_pool_
|
||||
daemonize(perf);
|
||||
if (params->low_water>0)
|
||||
set_watermark(params->low_water);
|
||||
- random_fd = open(params->random_device, O_RDWR);
|
||||
+ random_fd = open(params->random_device, O_RDWR | O_CLOEXEC);
|
||||
if (random_fd == -1)
|
||||
error_exit("Couldn't open random device: %m");
|
||||
break;
|
||||
@@ -272,7 +272,7 @@ void run(int poolsize, struct rand_pool_
|
||||
return;
|
||||
default:
|
||||
ct = params->sample_size*1024;
|
||||
- if (!(fout = fopen (params->sample_out, "wb")))
|
||||
+ if (!(fout = fopen (params->sample_out, "wbe")))
|
||||
error_exit("Cannot open file <%s> for writing.\n", params->sample_out);
|
||||
fprintf(stderr, "Writing %d byte sample\n",ct);
|
||||
}
|
||||
@@ -334,7 +334,7 @@ void set_watermark(int level)
|
||||
{
|
||||
FILE *wm_fh;
|
||||
|
||||
- wm_fh = fopen(params->watermark, "w");
|
||||
+ wm_fh = fopen(params->watermark, "we");
|
||||
if (wm_fh) {
|
||||
fprintf(wm_fh, "%d\n", level);
|
||||
fclose(wm_fh);
|
||||
Index: configure.ac
|
||||
===================================================================
|
||||
--- configure.ac.orig 2009-09-02 01:22:33.000000000 +0200
|
||||
+++ configure.ac 2010-07-26 17:20:58.745701000 +0200
|
||||
@@ -8,7 +8,7 @@ AC_CONFIG_AUX_DIR(config)
|
||||
AC_CONFIG_HEADER([config.h])
|
||||
AM_INIT_AUTOMAKE
|
||||
AC_CONFIG_SRCDIR([/src/haveged.c])
|
||||
-
|
||||
+AC_USE_SYSTEM_EXTENSIONS
|
||||
## Make nist self-test configurable
|
||||
AC_ARG_ENABLE(nistest, AS_HELP_STRING([--enable-nistest=[no/yes]],[Run NIST test suite [default=no]]),, enable_nistest="no")
|
||||
if test "x$enable_nistest" = "xyes"; then
|
3
haveged-0.9.tar.bz2
Normal file
3
haveged-0.9.tar.bz2
Normal file
@ -0,0 +1,3 @@
|
||||
version https://git-lfs.github.com/spec/v1
|
||||
oid sha256:b94fdb1c0891aaf8b7a00faa0b426e1a6c93a0665c60cd8db510ca4d87ea834d
|
||||
size 166681
|
58
haveged-capabilties.patch
Normal file
58
haveged-capabilties.patch
Normal file
@ -0,0 +1,58 @@
|
||||
--- configure.ac.orig 2010-09-24 18:13:42.282707000 +0200
|
||||
+++ configure.ac 2010-09-24 18:13:42.311704000 +0200
|
||||
@@ -68,7 +68,7 @@ AC_FUNC_MALLOC
|
||||
AC_FUNC_SELECT_ARGTYPES
|
||||
AC_TYPE_SIGNAL
|
||||
AC_CHECK_FUNCS([floor gettimeofday memset pow select sqrt])
|
||||
-
|
||||
+LIBCAP_NG_PATH
|
||||
# Sets hardware depedent define for the build
|
||||
AC_SUBST(HA_CPPFLAGS,$HA_CPPFLAGS)
|
||||
|
||||
--- src/Makefile.am.orig 2009-09-01 22:45:25.000000000 +0200
|
||||
+++ src/Makefile.am 2010-09-24 18:13:42.319719000 +0200
|
||||
@@ -4,5 +4,5 @@ AM_CFLAGS=-Wall
|
||||
AM_CPPFLAGS = @HA_CPPFLAGS@
|
||||
|
||||
haveged_SOURCES = haveged.c havege.c havegedef.h haveged.h havege.h oneiteration.h loopbody.h
|
||||
-
|
||||
+haveged_LDADD = @CAPNG_LDADD@
|
||||
MAINTAINERCLEANFILES = Makefile.in
|
||||
--- src/haveged.c.orig 2010-09-24 18:13:42.276714000 +0200
|
||||
+++ src/haveged.c 2010-09-24 18:14:41.605757000 +0200
|
||||
@@ -16,6 +16,11 @@
|
||||
** You should have received a copy of the GNU General Public License
|
||||
** along with this program. If not, see <http://www.gnu.org/licenses/>.
|
||||
*/
|
||||
+
|
||||
+#ifdef HAVE_CONFIG_H
|
||||
+#include "config.h"
|
||||
+#endif
|
||||
+
|
||||
#include <stdlib.h>
|
||||
#include <stdio.h>
|
||||
#include <math.h>
|
||||
@@ -37,6 +42,10 @@
|
||||
#include <linux/random.h>
|
||||
#include <errno.h>
|
||||
|
||||
+#ifdef HAVE_LIBCAP_NG
|
||||
+#include <cap-ng.h>
|
||||
+#endif
|
||||
+
|
||||
#include "havege.h"
|
||||
/**
|
||||
* Parameters
|
||||
@@ -170,6 +179,12 @@ int get_poolsize()
|
||||
*/
|
||||
int main(int argc, char **argv)
|
||||
{
|
||||
+#ifdef HAVE_LIBCAP_NG
|
||||
+ /* Drop capabilities */
|
||||
+ capng_clear(CAPNG_SELECT_BOTH);
|
||||
+ capng_update(CAPNG_ADD, CAPNG_EFFECTIVE|CAPNG_PERMITTED, CAP_SYS_ADMIN);
|
||||
+ capng_apply(CAPNG_SELECT_BOTH);
|
||||
+#endif
|
||||
static const char* cmds[] = {
|
||||
"d", "data", "1", "Data cache size [KB]",
|
||||
"i", "inst", "1", "Instruction cache size [KB]",
|
53
haveged.changes
Normal file
53
haveged.changes
Normal file
@ -0,0 +1,53 @@
|
||||
-------------------------------------------------------------------
|
||||
Fri Sep 24 16:14:20 UTC 2010 - cristian.rodriguez@opensuse.org
|
||||
|
||||
- Drop as much capabilitites as possible using libcap-ng
|
||||
|
||||
-------------------------------------------------------------------
|
||||
Sat Jul 31 23:55:20 UTC 2010 - cristian.rodriguez@opensuse.org
|
||||
|
||||
- I meant Enhances not Supplements
|
||||
|
||||
-------------------------------------------------------------------
|
||||
Fri Jul 30 22:18:23 UTC 2010 - cristian.rodriguez@opensuse.org
|
||||
|
||||
- Implement hack to start by default only in VMs
|
||||
|
||||
-------------------------------------------------------------------
|
||||
Tue Jul 27 22:02:20 UTC 2010 - cristian.rodriguez@opensuse.org
|
||||
|
||||
- Run the complete test suite (for the paranoid)
|
||||
- use O_CLOEXEC on fds
|
||||
|
||||
-------------------------------------------------------------------
|
||||
Tue Jul 20 21:27:49 UTC 2010 - cristian.rodriguez@opensuse.org
|
||||
|
||||
- enable daemon by default
|
||||
- add a few Supplements so the it gets installed automatically.
|
||||
|
||||
-------------------------------------------------------------------
|
||||
Sun Jul 18 21:25:16 UTC 2010 - cristian.rodriguez@opensuse.org
|
||||
|
||||
- add proper Requires(pre)
|
||||
|
||||
-------------------------------------------------------------------
|
||||
Fri Jul 16 17:30:31 UTC 2010 - cristian.rodriguez@opensuse.org
|
||||
|
||||
- build with no optimization, there are reports saying it
|
||||
may crash with -O1 like http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=563938
|
||||
|
||||
-------------------------------------------------------------------
|
||||
Thu Jul 15 17:37:11 UTC 2010 - cristian.rodriguez@opensuse.org
|
||||
|
||||
- move deamon to /sbin
|
||||
- tune the spec file
|
||||
- add a SUSE standard init script
|
||||
|
||||
-------------------------------------------------------------------
|
||||
Fri May 28 14:03:54 CEST 2010 - meissner@suse.de
|
||||
|
||||
- haveged 0.9
|
||||
|
||||
Gather entropy by doing calculation and looking
|
||||
at secondary high resolution processor information
|
||||
(tsc, cache misses etc.)
|
113
haveged.init
Normal file
113
haveged.init
Normal file
@ -0,0 +1,113 @@
|
||||
#! /bin/sh
|
||||
|
||||
### BEGIN INIT INFO
|
||||
# Provides: haveged
|
||||
# Required-Start: $syslog $local_fs
|
||||
# Required-Stop: $syslog $local_fs
|
||||
# Default-Start: 2 3 5
|
||||
# Default-Stop:
|
||||
# Short-Description: Daemon to feed entropy into /dev/urandom
|
||||
# Description: The haveged daemon uses the timing variations that occur in executing a fixed loop
|
||||
# to generate random numbers that are fed into the random pool.
|
||||
### END INIT INFO
|
||||
|
||||
HAVEGED_BIN=/sbin/haveged
|
||||
HAVEGED_PARAMS="-w 1024 -v 1"
|
||||
|
||||
# Shell functions sourced from /etc/rc.status:
|
||||
# rc_check check and set local and overall rc status
|
||||
# rc_status check and set local and overall rc status
|
||||
# rc_status -v ditto but be verbose in local rc status
|
||||
# rc_status -v -r ditto and clear the local rc status
|
||||
# rc_failed set local and overall rc status to failed
|
||||
# rc_reset clear local rc status (overall remains)
|
||||
# rc_exit exit appropriate to overall rc status
|
||||
. /etc/rc.status
|
||||
|
||||
# First reset status of this service
|
||||
rc_reset
|
||||
|
||||
# Return values acc. to LSB for all commands but status:
|
||||
# 0 - success
|
||||
# 1 - misc error
|
||||
# 2 - invalid or excess args
|
||||
# 3 - unimplemented feature (e.g. reload)
|
||||
# 4 - insufficient privilege
|
||||
# 5 - program not installed
|
||||
# 6 - program not configured
|
||||
#
|
||||
# Note that starting an already running service, stopping
|
||||
# or restarting a not-running service as well as the restart
|
||||
# with force-reload (in case signalling is not supported) are
|
||||
# considered a success.
|
||||
case "$1" in
|
||||
start)
|
||||
echo -n "Starting haveged daemon "
|
||||
## Start daemon with startproc(8). If this fails
|
||||
## the echo return value is set appropriate.
|
||||
|
||||
|
||||
# startproc should return 0, even if service is
|
||||
# already running to match LSB spec.
|
||||
startproc $HAVEGED_BIN $HAVEGED_PARAMS
|
||||
|
||||
# Remember status and be verbose
|
||||
rc_status -v
|
||||
;;
|
||||
stop)
|
||||
echo -n "Shutting down haveged daemon "
|
||||
killproc -TERM $HAVEGED_BIN
|
||||
|
||||
# Remember status and be verbose
|
||||
rc_status -v
|
||||
;;
|
||||
try-restart|condrestart)
|
||||
## Do a restart only if the service was active before.
|
||||
## Note: try-restart is now part of LSB (as of 1.9).
|
||||
## RH has a similar command named condrestart.
|
||||
if test "$1" = "condrestart"; then
|
||||
echo "${attn} Use try-restart ${done}(LSB)${attn} rather than condrestart ${warn}(RH)${norm}"
|
||||
fi
|
||||
$0 status
|
||||
if test $? = 0; then
|
||||
$0 restart
|
||||
else
|
||||
rc_reset # Not running is not a failure.
|
||||
fi
|
||||
# Remember status and be quiet
|
||||
rc_status
|
||||
;;
|
||||
restart | force-reload)
|
||||
$0 stop
|
||||
$0 start
|
||||
;;
|
||||
reload)
|
||||
## Like force-reload, but if daemon does not support
|
||||
## signaling, do nothing (!)
|
||||
rc_failed 3
|
||||
rc_status -v
|
||||
;;
|
||||
status)
|
||||
echo -n "Checking for haveged daemon "
|
||||
## Check status with checkproc(8), if process is running
|
||||
## checkproc will return with exit status 0.
|
||||
|
||||
# Status has a slightly different for the status command:
|
||||
# 0 - service running
|
||||
# 1 - service dead, but /var/run/ pid file exists
|
||||
# 2 - service dead, but /var/lock/ lock file exists
|
||||
# 3 - service not running
|
||||
|
||||
# NOTE: checkproc returns LSB compliant status values.
|
||||
checkproc $HAVEGED_BIN
|
||||
rc_status -v
|
||||
;;
|
||||
*)
|
||||
echo $"Usage: $0 {start|stop|status|restart|reload}"
|
||||
exit 1
|
||||
;;
|
||||
esac
|
||||
|
||||
rc_exit
|
||||
|
||||
# vim: set sw=4 ts=4 et:
|
99
haveged.spec
Normal file
99
haveged.spec
Normal file
@ -0,0 +1,99 @@
|
||||
#
|
||||
# spec file for package haveged (Version 0.9)
|
||||
#
|
||||
# Copyright (c) 2010 SUSE LINUX Products GmbH, Nuernberg, Germany.
|
||||
#
|
||||
# All modifications and additions to the file contributed by third parties
|
||||
# remain the property of their copyright owners, unless otherwise agreed
|
||||
# upon. The license for this file, and modifications and additions to the
|
||||
# file, is the same license as for the pristine package itself (unless the
|
||||
# license for the pristine package is not an Open Source License, in which
|
||||
# case the license is the MIT License). An "Open Source License" is a
|
||||
# license that conforms to the Open Source Definition (Version 1.9)
|
||||
# published by the Open Source Initiative.
|
||||
|
||||
# Please submit bugfixes or comments via http://bugs.opensuse.org/
|
||||
#
|
||||
|
||||
|
||||
|
||||
Name: haveged
|
||||
Version: 0.9
|
||||
Release: 1
|
||||
License: GPLv3
|
||||
Group: System/Daemons
|
||||
Summary: Feed entropy into random pool
|
||||
Url: http://www.issihosts.com/haveged/
|
||||
Source0: http://www.issihosts.com/haveged/haveged-%{version}.tar.bz2
|
||||
Source1: haveged.init
|
||||
BuildRoot: %{_tmppath}/%{name}-%{version}-build
|
||||
Requires(pre): %insserv_prereq
|
||||
Requires(post): grep util-linux
|
||||
Enhances: openssl gpg2 php5 apache2 openvpn smtp_daemon
|
||||
Patch: haveged-0.9-cloexec.patch
|
||||
Patch1: haveged-capabilties.patch
|
||||
BuildRequires: libcap-ng-devel
|
||||
|
||||
%description
|
||||
The haveged daemon feeds the linux entropy pool with random
|
||||
numbers generated from hidden processor state.
|
||||
|
||||
For more informations see http://www.issihosts.com/haveged/
|
||||
|
||||
%prep
|
||||
%setup -q
|
||||
%patch
|
||||
%patch1
|
||||
|
||||
%build
|
||||
autoreconf -fiv
|
||||
CFLAGS="$RPM_OPT_FLAGS -O0"
|
||||
%configure --with-libcap-ng=yes --sbindir=/sbin --enable-nistest=yes
|
||||
make %{?smp_flags}
|
||||
|
||||
%check
|
||||
make %{?smp_flags} check
|
||||
|
||||
%install
|
||||
make DESTDIR=$RPM_BUILD_ROOT install
|
||||
%{__install} -m0755 %{S:1} %{buildroot}/etc/init.d/haveged
|
||||
%{__mkdir_p} %{buildroot}%{_sbindir}
|
||||
%{__ln_s} -f %{_sysconfdir}/init.d/%{name} %{buildroot}%{_sbindir}/rc%{name}
|
||||
|
||||
%clean
|
||||
rm -rf $RPM_BUILD_ROOT
|
||||
|
||||
%post
|
||||
## brace for impact...
|
||||
%if 0%{?sles_version}
|
||||
if [ -x /usr/bin/lscpu ]; then
|
||||
if /usr/bin/lscpu | grep -q "Virtualization type" ; then
|
||||
## Is a VM
|
||||
%{fillup_and_insserv -fy %{name}}
|
||||
else
|
||||
## it isnt.
|
||||
%{fillup_and_insserv -f %{name}}
|
||||
fi
|
||||
else
|
||||
##there is no lscpu! shouldnt happend...
|
||||
%{fillup_and_insserv -f %{name}}
|
||||
fi
|
||||
%else
|
||||
%{fillup_and_insserv -fy %{name}}
|
||||
%endif
|
||||
|
||||
%postun
|
||||
%restart_on_update %{name}
|
||||
%{insserv_cleanup}
|
||||
|
||||
%preun
|
||||
%stop_on_removal %{name}
|
||||
|
||||
%files
|
||||
%defattr(-,root,root)
|
||||
%{_sbindir}/rc%{name}
|
||||
/sbin/haveged
|
||||
%config /etc/init.d/haveged
|
||||
%{_mandir}/man8/haveged.8.gz
|
||||
|
||||
%changelog
|
Loading…
Reference in New Issue
Block a user