diff options
| author | Adriaan de Jong <dejong@fox-it.com> | 2012-04-02 09:28:02 +0200 |
|---|---|---|
| committer | David Sommerseth <davids@redhat.com> | 2012-04-27 23:31:44 +0200 |
| commit | 6efeaa2e4462bc10f395d8aceed363c3e77b35a3 (patch) | |
| tree | 48732b5de9c86e8989dfeca0756b4162a3072088 /src/openvpn/crypto_polarssl.h | |
| parent | 4e846b39a35b5f9501e4283be0af620d7c9c8b5c (diff) | |
| download | openvpn-6efeaa2e4462bc10f395d8aceed363c3e77b35a3.tar.gz openvpn-6efeaa2e4462bc10f395d8aceed363c3e77b35a3.tar.xz openvpn-6efeaa2e4462bc10f395d8aceed363c3e77b35a3.zip | |
Added support for new PolarSSL 1.1 RNG
This patch, while retaining PolarSSL 1.0 support, introduces the PolarSSL 1.1 DRBG.
This RNG adds a number of features, including support for personalisation strings
and multiple entropy sources.
Personalisation strings have been implemented, based on PID, program name, place
within memory, and a hash of the user's certificate.
The entropy sources used are the platform default ones. Which ones these are
depends on how PolarSSL was built, but usually this includes:
- /dev/urandom or the Windows CryptoAPI RNG
- the HAVEGE RNG
- the output of PolarSSL's hardclock() call (usually RDTSC)
Finally, this patch moves to only one instance of the RNG per OpenVPN instance,
instead of one per keystate
Signed-off-by: Adriaan de Jong <dejong@fox-it.com>
Signed-off-by: Eelse-jan Stutvoet <stutvoet@fox-it.com>
Acked-by: James Yonan <james@openvpn.net>
Message-Id: 1333351687-3732-1-git-send-email-dejong@fox-it.com
URL: http://article.gmane.org/gmane.network.openvpn.devel/6210
Signed-off-by: David Sommerseth <davids@redhat.com>
Notes
Notes:
This patch was ACKed by James Yonan in an IRC meeting March 29, 2012 under the condition
that PolarSSL 1.0 and havege support is removed later on.
Currently, the meeting minutes have not been made public.
(David Sommerseth, Fri Apr 27 21:31:03 UTC 2012)
Diffstat (limited to 'src/openvpn/crypto_polarssl.h')
| -rw-r--r-- | src/openvpn/crypto_polarssl.h | 25 |
1 files changed, 25 insertions, 0 deletions
diff --git a/src/openvpn/crypto_polarssl.h b/src/openvpn/crypto_polarssl.h index 358483a..2f303db 100644 --- a/src/openvpn/crypto_polarssl.h +++ b/src/openvpn/crypto_polarssl.h @@ -30,9 +30,16 @@ #ifndef CRYPTO_POLARSSL_H_ #define CRYPTO_POLARSSL_H_ +#include <polarssl/version.h> #include <polarssl/cipher.h> #include <polarssl/md.h> +#if (POLARSSL_VERSION_NUMBER >= 0x01010000) +# include <polarssl/ctr_drbg.h> +#else +# include <polarssl/havege.h> +#endif + /** Generic cipher key type %context. */ typedef cipher_info_t cipher_kt_t; @@ -71,4 +78,22 @@ typedef md_context_t hmac_ctx_t; #define SHA_DIGEST_LENGTH 20 #define DES_KEY_LENGTH 8 +/** + * Returns a singleton instance of the PolarSSL random number generator. + * + * For PolarSSL 1.0, this is the HAVEGE random number generator. + * + * For PolarSSL 1.1+, this is the CTR_DRBG random number generator. If it + * hasn't been initialised yet, the RNG will be initialised using the default + * entropy sources. Aside from the default platform entropy sources, an + * additional entropy source, the HAVEGE random number generator will also be + * added. During initialisation, a personalisation string will be added based + * on the time, the PID, and a pointer to the random context. + */ +#if (POLARSSL_VERSION_NUMBER >= 0x01010000) +ctr_drbg_context * rand_ctx_get(); +#else +havege_state * rand_ctx_get(); +#endif + #endif /* CRYPTO_POLARSSL_H_ */ |