#200 closed Bug / Defect (fixed)
PolarSSL v1.1.1 support
Reported by: | palatinux | Owned by: | |
---|---|---|---|
Priority: | blocker | Milestone: | beta 2.3 |
Component: | Crypto | Version: | OpenVPN 2.3-beta / 2.3-RC (Community Ed) |
Severity: | Not set (select this one, unless your'e a OpenVPN developer) | Keywords: | polarssl havege |
Cc: | andj |
Description
In order to enable PolarSSL v.1.1.1 support for openvpn-2.3-alpha1, all functions containing the instruction 'havege_rand' should be changed to 'havege_random'
The Fortress Linux security team.
https://www.fortresslinux.org
Change History (5)
comment:1 Changed 12 years ago by
comment:2 Changed 12 years ago by
Thanks, the first patch worked. Though the involvement of FOX-IT in OpenVPN may raise some supposition:
comment:4 Changed 12 years ago by
Cc: | andj added |
---|---|
Keywords: | polarssl havege added; Palatinux PolarSSL v1.1.1 openvpn 2.3 removed |
Resolution: | → fixed |
Severity: | Patch Queue: New / awaiting ACK → Not set (if unsure, select this one) |
Status: | new → closed |
I've replied to the forum thread, in regards to the concerns of the Fox-IT involvement.
When it comes to Havege RNG support, that should be removed from OpenVPN 2.3. OpenVPN 2.3 will require PolarSSL v1.1 or newer, which supports better random generators.
commit 1d92d06dca5ac38990261cb546a766b91fc53f9b Author: Adriaan de Jong <dejong@fox-it.com> Date: Mon Apr 2 09:28:05 2012 +0200 Removed support for PolarSSL < 1.1 PolarSSL 1.0 and earlier use only the Havege RNG. Havege is based on timing certain operations, using the RDTSC instruction. Although this is fine on bare metal PCs, the RDTSC instruction is virtualised on some virtual machine implementations. This can result in issues on those virtual machines. PolarSSL fixes this potential issue by also using platform entropy. To ensure that OpenVPN is always built against a decent RNG, PolarSSL <1.1 is therefore no longer supported. Signed-off-by: Adriaan de Jong <dejong@fox-it.com> Acked-by: David Sommerseth <davids@redhat.com> Message-Id: 1333351687-3732-4-git-send-email-dejong@fox-it.com URL: http://article.gmane.org/gmane.network.openvpn.devel/6211 Signed-off-by: David Sommerseth <davids@redhat.com>
And checking the source code for 2.3_beta1, I see this:
$ git grep havege_rand | wc -l 0 $
If you still feel this is not fully solved, please feel free to re-open this ticket.
comment:5 Changed 12 years ago by
Milestone: | → beta 2.3 |
---|
Hi! Thanks for the bug report. The issue should be fixed a while ago, but the patches are waiting for the new build system to be included. For reference, please see:
http://article.gmane.org/gmane.network.openvpn.devel/5689
http://article.gmane.org/gmane.network.openvpn.devel/5693
http://article.gmane.org/gmane.network.openvpn.devel/5688