From cf5bebd56f5c00709e1dccf984e22ffc329cae3c Mon Sep 17 00:00:00 2001
From: Christian Wiese <christian.wiese@securepoint.de>
Date: Wed, 4 Sep 2013 16:35:02 +0200
Subject: [PATCH] csprng: improved to be able to disable the fetching of random
 data via http

---
 .../csprng/0001-add-disable-http-rng.patch    | 206 ++++++++++++++++++
 security/csprng/csprng.conf                   |   3 +
 2 files changed, 209 insertions(+)
 create mode 100644 security/csprng/0001-add-disable-http-rng.patch

diff --git a/security/csprng/0001-add-disable-http-rng.patch b/security/csprng/0001-add-disable-http-rng.patch
new file mode 100644
index 000000000..6c87436f9
--- /dev/null
+++ b/security/csprng/0001-add-disable-http-rng.patch
@@ -0,0 +1,206 @@
+# --- SDE-COPYRIGHT-NOTE-BEGIN ---
+# This copyright note is auto-generated by ./scripts/Create-CopyPatch.
+#
+# Filename: package/.../csprng/0001-add-disable-http-rng.patch
+# Copyright (C) 2013 The OpenSDE Project
+#
+# More information can be found in the files COPYING and README.
+#
+# This patch file is dual-licensed. It is available under the license the
+# patched project is licensed under, as long as it is an OpenSource license
+# as defined at http://www.opensource.org/ (e.g. BSD, X11) or under the terms
+# of the GNU General Public License as published by the Free Software
+# Foundation; either version 2 of the License, or (at your option) any later
+# version.
+# --- SDE-COPYRIGHT-NOTE-END ---
+
+This patch introduces a new configure option '--disable-http-rng' to disable
+the feature to fetch random data via http from random.irb.hr.
+
+--- a/configure.ac	2013-09-04 15:24:23.917623411 +0200
++++ b/configure.ac	2013-09-04 15:33:53.843839270 +0200
+@@ -55,6 +55,23 @@
+ AC_TYPE_SIGNAL
+ AC_CHECK_FUNCS([floor gettimeofday memset pow select sqrt clock_gettime])
+ 
++#### disable http rng feature (default: enabled)
++AC_ARG_ENABLE([http-rng],
++    AS_HELP_STRING([--disable-http-rng], [Disable feature to fetch random data via http from random.irb.hr]))
++
++AS_IF([test "x$enable_http_rng" != "xno"], [
++	dnl Do the stuff needed for enabling the feature
++	DISABLE_HTTP_RNG="yes"
++])
++
++AM_CONDITIONAL([ENABLE_HTTP_RNG], [test "x$DISABLE_HTTP_RNG" = "xyes"])
++
++# Define HTTP_RNG in config.h if we're going to compile against it
++if test "x$DISABLE_HTTP_RNG" = "xyes"; then
++    AC_DEFINE([ENABLE_HTTP_RNG], 1, ["Define to 1 if you want to enable http rng feature."])
++    AC_MSG_NOTICE([disable http rng])
++fi
++
+ #### Find OpenSSL
+ AC_MSG_CHECKING([for --with-openssl])
+ AC_ARG_WITH(
+--- a/src/Makefile.am	2013-09-04 13:25:26.970114877 +0200
++++ b/src/Makefile.am	2013-09-04 15:43:09.946405852 +0200
+@@ -16,6 +16,14 @@
+ libcsprng_la_CPPFLAGS = -I$(top_srcdir)/include
+ libcsprng_la_LDFLAGS = -version-number @CSPRNG_LT_VERSION@
+ 
++if ENABLE_HTTP_RNG
++	HTTP_RNG_SOURCES= \
++		QRBG.h \
++		QRBG.cpp \
++		qrbg-c.cpp \
++		http_rng.c
++endif
++
+ # Sources
+ # The shell script is the easy way to do this, by far.  But it may not
+ # be sufficiently portable.
+@@ -29,11 +37,8 @@
+ 		       csprng.c \
+ 		       memt19937ar-JH.c \
+ 		       sha1_rng.c \
+-                       fips.c \
+-                       QRBG.h \
+-                       QRBG.cpp \
+-                       qrbg-c.cpp \
+-		       http_rng.c
++		       $(HTTP_RNG_SOURCES) \
++		       fips.c
+ 
+ MAINTAINERCLEANFILES = Makefile.in
+ 
+--- a/src/csprng.c	2013-09-04 14:41:34.295736601 +0200
++++ b/src/csprng.c	2013-09-04 15:37:22.230823512 +0200
+@@ -38,7 +38,9 @@
+ #include <csprng/nist_ctr_drbg.h>
+ #include <csprng/memt19937ar-JH.h>
+ #include <csprng/sha1_rng.h>
++#if defined(ENABLE_HTTP_RNG)
+ #include <csprng/http_rng.h>
++#endif
+ #include <csprng/csprng.h>
+ #include <csprng/fips.h>
+ 
+@@ -282,6 +284,7 @@
+ }
+ //}}}
+ 
++#if defined(ENABLE_HTTP_RNG)
+ //{{{ static void fill_buffer_using_HTTP ( rng_buf_type* data )
+ static void fill_buffer_using_HTTP ( rng_buf_type* data )
+ {
+@@ -332,6 +335,7 @@
+   return;
+ }
+ //}}}
++#endif
+ 
+ //{{{ static void fill_buffer_using_MT_RNG ( rng_buf_type* data )
+ static void fill_buffer_using_MT_RNG ( rng_buf_type* data )
+@@ -380,9 +384,11 @@
+       case SHA1_RNG:
+         fill_buffer_using_SHA (data);
+         break;
++#if defined(ENABLE_HTTP_RNG)
+       case HTTP_RNG:
+         fill_buffer_using_HTTP (data);
+         break;
++#endif
+       case MT_RNG:
+         fill_buffer_using_MT_RNG (data);
+         break;
+@@ -906,9 +912,11 @@
+   unsigned int allocated_size;  //Number of bytes allocated for seed.
+   rng_state_type rng_state;
+   csprng_state_type* csprng_state;
++#if defined(ENABLE_HTTP_RNG)
+   char* QRBG_RNG_login_name;       //User name for random.irb.hr
+   char* QRBG_RNG_passwd;           //Password for  random.irb.hr
+   char HTTP_source_bitmask;        //source bitmask for http_random_init 
++#endif
+ 
+   //{{{ Init csprng_state, do sanity checks
+   assert ( mode_of_operation->entropy_source   < SOURCES_COUNT );
+@@ -1072,6 +1080,7 @@
+   }
+   //}}} 
+ 
++#if defined(ENABLE_HTTP_RNG)
+   //{{{ Check if need HTTP_RNG and init it
+   if ( csprng_state->mode.entropy_source == HTTP_RNG || csprng_state->mode.add_input_source == HTTP_RNG ) {
+     QRBG_RNG_login_name = getenv("QRBG_USER");
+@@ -1097,6 +1106,7 @@
+     if ( unsetenv("QRBG_PASSWD") ) fprintf(stderr, "WARNING: unsetenv(\"QRBG_PASSWD\") failed with %s.\n", strerror(errno));
+   }
+   //}}}
++#endif
+ 
+   //{{{ Check if need HAVEGE and init it
+   if ( csprng_state->mode.entropy_source == HAVEGE || csprng_state->mode.add_input_source == HAVEGE ) {
+@@ -1485,9 +1495,11 @@
+     destroy_buffer( csprng_state->entropy_buf );
+   }
+ 
++#if defined(ENABLE_HTTP_RNG)
+   if ( csprng_state->http != NULL ) {
+     http_random_destroy( csprng_state->http );
+   }
++#endif
+ 
+   if ( csprng_state->sha != NULL ) {
+     destroy_SHA1( csprng_state->sha );
+--- a/test/Makefile.am	2013-09-04 15:14:20.288198731 +0200
++++ b/test/Makefile.am	2013-09-04 15:18:27.146249565 +0200
+@@ -4,7 +4,10 @@
+ #bin_PROGRAMS = openssl-rand sha1_main memt qrbg_main http_main ctr_drbg_test
+ #TODO - link static does not work for qrbg_main.c => move it to C++ ??
+ 
+-bin_PROGRAMS = openssl-rand_main sha1_main memt_main qrbg_main http_main ctr_drbg_test havege_main 
++bin_PROGRAMS = openssl-rand_main sha1_main memt_main ctr_drbg_test havege_main 
++if ENABLE_HTTP_RNG
++  bin_PROGRAMS += qrbg_main http_main
++endif
+ if HAVE_LIBTESTU01
+   bin_PROGRAMS += TestU01_raw_stdin_input_with_log
+ endif
+--- a/utils/csprng-generate.c	2013-09-04 14:39:26.110846139 +0200
++++ b/utils/csprng-generate.c	2013-09-04 15:13:04.426054925 +0200
+@@ -832,7 +832,9 @@
+   mode_of_operation.file_read_size = 16384;
+   mode_of_operation.max_number_of_csprng_blocks   = arguments.max_num_of_blocks;
+   mode_of_operation.random_length_of_csprng_generated_bytes = arguments.randomize_num_of_blocks;
++#if defined(ENABLE_HTTP_RNG)
+   mode_of_operation.http_random_verbosity         = arguments.verbose;
++#endif
+ 
+   fips_state = fips_approved_csprng_initialize(arguments.fips_test, 0, &mode_of_operation);
+ 
+@@ -942,9 +944,11 @@
+       current_time = time(NULL);
+       strftime(current_time_string, sizeof(current_time_string) , "%a %b %H:%M:%S %Y", localtime(&current_time));
+       fprintf ( stderr, "\n========================= %s ==========================\n", current_time_string );
++#if defined(ENABLE_HTTP_RNG)
+       if ( arguments.entropy_source == HTTP_RNG || arguments.add_input_source == HTTP_RNG ) {
+         http_random_status( fips_state->csprng_state->http, 1);
+       }
++#endif
+       print_statistics(total_bytes_written, arguments.unlimited, remaining_bytes, arguments.size, stderr, &start_time);
+       fprintf(stderr, "\n");
+       if ( arguments.fips_test) fprintf ( stderr, "%s", dump_fips_statistics ( &fips_state->fips_ctx.fips_statistics ) );
+@@ -968,9 +972,11 @@
+   current_time = time(NULL);
+   strftime(current_time_string, sizeof(current_time_string) , "%a %b %H:%M:%S %Y", localtime(&current_time));
+   fprintf ( stderr, "\n======FINAL REPORT======= %s ==========================\n", current_time_string );
++#if defined(ENABLE_HTTP_RNG)
+   if ( arguments.entropy_source == HTTP_RNG || arguments.add_input_source == HTTP_RNG ) {
+     http_random_status( fips_state->csprng_state->http, 1);
+   }
++#endif
+   print_statistics(total_bytes_written, arguments.unlimited, remaining_bytes, arguments.size, stderr, &start_time);
+   fprintf(stderr, "\n");
+   if ( arguments.fips_test) fprintf ( stderr, "%s", dump_fips_statistics ( &fips_state->fips_ctx.fips_statistics ) );
diff --git a/security/csprng/csprng.conf b/security/csprng/csprng.conf
index 59cd916ff..3101736c3 100644
--- a/security/csprng/csprng.conf
+++ b/security/csprng/csprng.conf
@@ -12,6 +12,9 @@
 # GNU General Public License can be found in the file COPYING.
 # --- SDE-COPYRIGHT-NOTE-END ---
 
+# we patch in --disable-http-rng
+hook_add preconf 9 'autoreconf -vfi'
+
 # cross-compiling help
 if atstage cross; then
 	# always assuming a "gnu compatible" malloc