Completely remove RAND_egd support

The EGD daemon is completely unmaintained and has not seen a release since 13 years which is not an acceptable timeframe for cryptographic software. It is not packaged in any linux distribution I know of and definitely not in *BSD. LibreSSL has already dropped support for RAND_egd.
heimdal · Oct 6, 2015 · 427a600 · 427a600
1 parent 4340205
commit 427a600
Show file tree

Hide file tree

Showing 10 changed files with 1 addition and 307 deletions.
diff --git a/cf/crypto.m4 b/cf/crypto.m4
@@ -118,7 +118,7 @@ if test "$crypto_lib" = "unknown" -a "$with_openssl" != "no"; then
 			break;
 		fi
 	done
-	AC_CHECK_LIB(crypto, RAND_egd, AC_DEFINE(HAVE_RAND_EGD, 1, [Define if the libcrypto has RAND_egd]))
+	AC_CHECK_LIB(crypto, OPENSSL_init, [])
 	CFLAGS="$save_CFLAGS"
 	LIBS="$save_LIBS"
 fi

diff --git a/lib/hcrypto/Makefile.am b/lib/hcrypto/Makefile.am
@@ -127,7 +127,6 @@ libhcrypto_la_SOURCES =	\
 	md5.h		\
 	pkcs5.c		\
 	pkcs12.c	\
-	rand-egd.c	\
 	rand-fortuna.c	\
 	rand-timer.c	\
 	rand-unix.c	\

diff --git a/lib/hcrypto/libhcrypto-exports.def b/lib/hcrypto/libhcrypto-exports.def
@@ -241,9 +241,6 @@ EXPORTS
 	hc_RAND_add
 	hc_RAND_bytes
 	hc_RAND_cleanup
-;!	hc_RAND_egd
-;!	hc_RAND_egd_bytes
-;!	hc_RAND_egd_method
 	hc_RAND_file_name
 ;!	hc_RAND_fortuna_method
 	hc_RAND_get_rand_method

diff --git a/lib/hcrypto/rand-egd.c b/lib/hcrypto/rand-egd.c
diff --git a/lib/hcrypto/rand-fortuna.c b/lib/hcrypto/rand-fortuna.c
@@ -485,20 +485,6 @@ fortuna_reseed(void)
 	add_entropy(&main_state, (void *)buf, sizeof(buf));
 	entropy_p = 1;
     }
-#endif
-#if defined(HAVE_RAND_EGD)
-    /*
-     * Only to get egd entropy if /dev/random or arc4rand failed since
-     * it can be horribly slow to generate new bits.
-     */
-    if (!entropy_p) {
-	unsigned char buf[INIT_BYTES];
-	if ((*hc_rand_egd_method.bytes)(buf, sizeof(buf)) == 1) {
-	    add_entropy(&main_state, buf, sizeof(buf));
-	    entropy_p = 1;
-	    memset(buf, 0, sizeof(buf));
-	}
-    }
 #endif
     /*
      * Fall back to gattering data from timer and secret files, this

diff --git a/lib/hcrypto/rand.h b/lib/hcrypto/rand.h
@@ -56,10 +56,7 @@ typedef struct RAND_METHOD RAND_METHOD;
 #define RAND_load_file hc_RAND_load_file
 #define RAND_write_file hc_RAND_write_file
 #define RAND_status hc_RAND_status
-#define RAND_egd hc_RAND_egd
-#define RAND_egd_bytes hc_RAND_egd_bytes
 #define RAND_fortuna_method hc_RAND_fortuna_method
-#define RAND_egd_method hc_RAND_egd_method
 #define RAND_unix_method hc_RAND_unix_method
 #define RAND_w32crypto_method hc_RAND_w32crypto_method
 
@@ -97,13 +94,10 @@ const char *
 int	RAND_load_file(const char *, size_t);
 int	RAND_write_file(const char *);
 int	RAND_status(void);
-int	RAND_egd(const char *);
-int	RAND_egd_bytes(const char *, int);
 
 
 const RAND_METHOD *	RAND_fortuna_method(void);
 const RAND_METHOD *	RAND_unix_method(void);
-const RAND_METHOD *	RAND_egd_method(void);
 const RAND_METHOD *	RAND_w32crypto_method(void);
 
 #endif /* _HEIM_RAND_H */
diff --git a/lib/hcrypto/randi.h b/lib/hcrypto/randi.h
@@ -40,7 +40,6 @@
 
 extern const RAND_METHOD hc_rand_fortuna_method;
 extern const RAND_METHOD hc_rand_unix_method;
-extern const RAND_METHOD hc_rand_egd_method;
 extern const RAND_METHOD hc_rand_timer_method;
 extern const RAND_METHOD hc_rand_w32crypto_method;
 

diff --git a/lib/hcrypto/test_rand.c b/lib/hcrypto/test_rand.c
@@ -125,10 +125,6 @@ main(int argc, char **argv)
 	else if (strcasecmp(rand_method, "unix") == 0)
 	    RAND_set_rand_method(RAND_unix_method());
 #endif
-#if defined(HAVE_RAND_EGD)
-	else if (strcasecmp(rand_method, "egd") == 0)
-	    RAND_set_rand_method(RAND_egd_method());
-#endif
 #ifdef WIN32
 	else if (strcasecmp(rand_method, "w32crypto") == 0)
 	    RAND_set_rand_method(RAND_w32crypto_method());

diff --git a/lib/hcrypto/version-script.map b/lib/hcrypto/version-script.map
@@ -226,9 +226,6 @@ HEIMDAL_CRYPTO_1.0 {
 		hc_RAND_add;
 		hc_RAND_bytes;
 		hc_RAND_cleanup;
-		hc_RAND_egd;
-		hc_RAND_egd_bytes;
-		hc_RAND_egd_method;
 		hc_RAND_file_name;
 		hc_RAND_fortuna_method;
 		hc_RAND_get_rand_method;

diff --git a/lib/krb5/crypto-rand.c b/lib/krb5/crypto-rand.c
@@ -67,22 +67,8 @@ seed_something(void)
     /* Calling RAND_status() will try to use /dev/urandom if it exists so
        we do not have to deal with it. */
     if (RAND_status() != 1) {
-#if defined(HAVE_RAND_EGD)
-	krb5_context context;
-	const char *p;
-
-	/* Try using egd */
-	if (!krb5_init_context(&context)) {
-	    p = krb5_config_get_string(context, NULL, "libdefaults",
-				       "egd_socket", NULL);
-	    if (p != NULL)
-		RAND_egd_bytes(p, ENTROPY_NEEDED);
-	    krb5_free_context(context);
-	}
-#else
 	/* TODO: Once a Windows CryptoAPI RAND method is defined, we
 	   can use that and failover to another method. */
-#endif
     }
 
     if (RAND_status() == 1)	{