From 6efeaa2e4462bc10f395d8aceed363c3e77b35a3 Mon Sep 17 00:00:00 2001 From: Adriaan de Jong Date: Mon, 2 Apr 2012 09:28:02 +0200 Subject: Added support for new PolarSSL 1.1 RNG This patch, while retaining PolarSSL 1.0 support, introduces the PolarSSL 1.1 DRBG. This RNG adds a number of features, including support for personalisation strings and multiple entropy sources. Personalisation strings have been implemented, based on PID, program name, place within memory, and a hash of the user's certificate. The entropy sources used are the platform default ones. Which ones these are depends on how PolarSSL was built, but usually this includes: - /dev/urandom or the Windows CryptoAPI RNG - the HAVEGE RNG - the output of PolarSSL's hardclock() call (usually RDTSC) Finally, this patch moves to only one instance of the RNG per OpenVPN instance, instead of one per keystate Signed-off-by: Adriaan de Jong Signed-off-by: Eelse-jan Stutvoet Acked-by: James Yonan Message-Id: 1333351687-3732-1-git-send-email-dejong@fox-it.com URL: http://article.gmane.org/gmane.network.openvpn.devel/6210 Signed-off-by: David Sommerseth --- src/openvpn/crypto_polarssl.h | 25 +++++++++++++++++++++++++ 1 file changed, 25 insertions(+) (limited to 'src/openvpn/crypto_polarssl.h') diff --git a/src/openvpn/crypto_polarssl.h b/src/openvpn/crypto_polarssl.h index 358483a..2f303db 100644 --- a/src/openvpn/crypto_polarssl.h +++ b/src/openvpn/crypto_polarssl.h @@ -30,9 +30,16 @@ #ifndef CRYPTO_POLARSSL_H_ #define CRYPTO_POLARSSL_H_ +#include #include #include +#if (POLARSSL_VERSION_NUMBER >= 0x01010000) +# include +#else +# include +#endif + /** Generic cipher key type %context. */ typedef cipher_info_t cipher_kt_t; @@ -71,4 +78,22 @@ typedef md_context_t hmac_ctx_t; #define SHA_DIGEST_LENGTH 20 #define DES_KEY_LENGTH 8 +/** + * Returns a singleton instance of the PolarSSL random number generator. + * + * For PolarSSL 1.0, this is the HAVEGE random number generator. + * + * For PolarSSL 1.1+, this is the CTR_DRBG random number generator. If it + * hasn't been initialised yet, the RNG will be initialised using the default + * entropy sources. Aside from the default platform entropy sources, an + * additional entropy source, the HAVEGE random number generator will also be + * added. During initialisation, a personalisation string will be added based + * on the time, the PID, and a pointer to the random context. + */ +#if (POLARSSL_VERSION_NUMBER >= 0x01010000) +ctr_drbg_context * rand_ctx_get(); +#else +havege_state * rand_ctx_get(); +#endif + #endif /* CRYPTO_POLARSSL_H_ */ -- cgit