From 1d92d06dca5ac38990261cb546a766b91fc53f9b Mon Sep 17 00:00:00 2001
From: Adriaan de Jong <dejong@fox-it.com>
Date: Mon, 2 Apr 2012 09:28:05 +0200
Subject: Removed support for PolarSSL < 1.1

PolarSSL 1.0 and earlier use only the Havege RNG. Havege is based on timing
certain operations, using the RDTSC instruction. Although this is fine on
bare metal PCs, the RDTSC instruction is virtualised on some virtual
machine implementations. This can result in issues on those virtual
machines. PolarSSL fixes this potential issue by also using platform
entropy.

To ensure that OpenVPN is always built against a decent RNG, PolarSSL <1.1
is therefore no longer supported.

Signed-off-by: Adriaan de Jong <dejong@fox-it.com>
Acked-by: David Sommerseth <davids@redhat.com>
Message-Id: 1333351687-3732-4-git-send-email-dejong@fox-it.com
URL: http://article.gmane.org/gmane.network.openvpn.devel/6211
Signed-off-by: David Sommerseth <davids@redhat.com>
---
 src/openvpn/crypto_polarssl.c | 34 ----------------------------------
 1 file changed, 34 deletions(-)

(limited to 'src/openvpn/crypto_polarssl.c')

diff --git a/src/openvpn/crypto_polarssl.c b/src/openvpn/crypto_polarssl.c
index 96d41b7..3978a3c 100644
--- a/src/openvpn/crypto_polarssl.c
+++ b/src/openvpn/crypto_polarssl.c
@@ -50,9 +50,7 @@
 #include <polarssl/cipher.h>
 #include <polarssl/havege.h>
 
-#if (POLARSSL_VERSION_NUMBER >= 0x01010000)
 #include <polarssl/entropy.h>
-#endif
 
 /*
  *
@@ -168,7 +166,6 @@ show_available_engines ()
  * Initialise the given ctr_drbg context, using a personalisation string and an
  * entropy gathering function.
  */
-#if (POLARSSL_VERSION_NUMBER >= 0x01010000)
 ctr_drbg_context * rand_ctx_get()
 {
   static entropy_context ec = {0};
@@ -200,25 +197,6 @@ ctr_drbg_context * rand_ctx_get()
   return &cd_ctx;
 }
 
-#else /* (POLARSSL_VERSION_NUMBER < 0x01010000) */
-
-havege_state * rand_ctx_get()
-{
-  static havege_state hs = {0};
-  static bool rand_initialised = false;
-
-  if (!rand_initialised)
-    {
-      /* Initialise PolarSSL RNG */
-      havege_init(&hs);
-      rand_initialised = true;
-    }
-
-  return &hs;
-}
-
-#endif /* (POLARSSL_VERSION_NUMBER >= 0x01010000) */
-
 #ifdef ENABLE_PREDICTION_RESISTANCE
 void rand_ctx_enable_prediction_resistance()
 {
@@ -231,26 +209,14 @@ void rand_ctx_enable_prediction_resistance()
 int
 rand_bytes (uint8_t *output, int len)
 {
-#if (POLARSSL_VERSION_NUMBER >= 0x01010000)
   ctr_drbg_context *rng_ctx = rand_ctx_get();
-#else /* (POLARSSL_VERSION_NUMBER >= 0x01010000) */
-  havege_state *rng_ctx = rand_ctx_get();
-#endif /* (POLARSSL_VERSION_NUMBER >= 0x01010000) */
 
   while (len > 0)
     {
-#if (POLARSSL_VERSION_NUMBER >= 0x01010000)
       const size_t blen = min_int (len, CTR_DRBG_MAX_REQUEST);
       if (0 != ctr_drbg_random(rng_ctx, output, blen))
 	return 0;
 
-#else /* (POLARSSL_VERSION_NUMBER >= 0x01010000) */
-      const size_t blen = min_int (len, sizeof(int));
-      const int rand_int = havege_rand(rng_ctx);
-      memcpy (output, &rand_int, blen);
-
-#endif /* (POLARSSL_VERSION_NUMBER >= 0x01010000) */
-
       output += blen;
       len -= blen;
     }
-- 
cgit