diff options
| author | Adriaan de Jong <dejong@fox-it.com> | 2012-04-02 09:28:05 +0200 |
|---|---|---|
| committer | David Sommerseth <davids@redhat.com> | 2012-04-27 23:48:49 +0200 |
| commit | 1d92d06dca5ac38990261cb546a766b91fc53f9b (patch) | |
| tree | 8f5b682287d0ea9d03c5876373c4fd8566c0b30e /src/openvpn/crypto_polarssl.c | |
| parent | 21fdfb73d5d18038872da15cd15026f40666b4d5 (diff) | |
| download | openvpn-1d92d06dca5ac38990261cb546a766b91fc53f9b.tar.gz openvpn-1d92d06dca5ac38990261cb546a766b91fc53f9b.tar.xz openvpn-1d92d06dca5ac38990261cb546a766b91fc53f9b.zip | |
Removed support for PolarSSL < 1.1
PolarSSL 1.0 and earlier use only the Havege RNG. Havege is based on timing
certain operations, using the RDTSC instruction. Although this is fine on
bare metal PCs, the RDTSC instruction is virtualised on some virtual
machine implementations. This can result in issues on those virtual
machines. PolarSSL fixes this potential issue by also using platform
entropy.
To ensure that OpenVPN is always built against a decent RNG, PolarSSL <1.1
is therefore no longer supported.
Signed-off-by: Adriaan de Jong <dejong@fox-it.com>
Acked-by: David Sommerseth <davids@redhat.com>
Message-Id: 1333351687-3732-4-git-send-email-dejong@fox-it.com
URL: http://article.gmane.org/gmane.network.openvpn.devel/6211
Signed-off-by: David Sommerseth <davids@redhat.com>
Diffstat (limited to 'src/openvpn/crypto_polarssl.c')
| -rw-r--r-- | src/openvpn/crypto_polarssl.c | 34 |
1 files changed, 0 insertions, 34 deletions
diff --git a/src/openvpn/crypto_polarssl.c b/src/openvpn/crypto_polarssl.c index 96d41b7..3978a3c 100644 --- a/src/openvpn/crypto_polarssl.c +++ b/src/openvpn/crypto_polarssl.c @@ -50,9 +50,7 @@ #include <polarssl/cipher.h> #include <polarssl/havege.h> -#if (POLARSSL_VERSION_NUMBER >= 0x01010000) #include <polarssl/entropy.h> -#endif /* * @@ -168,7 +166,6 @@ show_available_engines () * Initialise the given ctr_drbg context, using a personalisation string and an * entropy gathering function. */ -#if (POLARSSL_VERSION_NUMBER >= 0x01010000) ctr_drbg_context * rand_ctx_get() { static entropy_context ec = {0}; @@ -200,25 +197,6 @@ ctr_drbg_context * rand_ctx_get() return &cd_ctx; } -#else /* (POLARSSL_VERSION_NUMBER < 0x01010000) */ - -havege_state * rand_ctx_get() -{ - static havege_state hs = {0}; - static bool rand_initialised = false; - - if (!rand_initialised) - { - /* Initialise PolarSSL RNG */ - havege_init(&hs); - rand_initialised = true; - } - - return &hs; -} - -#endif /* (POLARSSL_VERSION_NUMBER >= 0x01010000) */ - #ifdef ENABLE_PREDICTION_RESISTANCE void rand_ctx_enable_prediction_resistance() { @@ -231,26 +209,14 @@ void rand_ctx_enable_prediction_resistance() int rand_bytes (uint8_t *output, int len) { -#if (POLARSSL_VERSION_NUMBER >= 0x01010000) ctr_drbg_context *rng_ctx = rand_ctx_get(); -#else /* (POLARSSL_VERSION_NUMBER >= 0x01010000) */ - havege_state *rng_ctx = rand_ctx_get(); -#endif /* (POLARSSL_VERSION_NUMBER >= 0x01010000) */ while (len > 0) { -#if (POLARSSL_VERSION_NUMBER >= 0x01010000) const size_t blen = min_int (len, CTR_DRBG_MAX_REQUEST); if (0 != ctr_drbg_random(rng_ctx, output, blen)) return 0; -#else /* (POLARSSL_VERSION_NUMBER >= 0x01010000) */ - const size_t blen = min_int (len, sizeof(int)); - const int rand_int = havege_rand(rng_ctx); - memcpy (output, &rand_int, blen); - -#endif /* (POLARSSL_VERSION_NUMBER >= 0x01010000) */ - output += blen; len -= blen; } |