#200 closed Bug / Defect (fixed)
PolarSSL v1.1.1 support
| Reported by: | palatinux | Owned by: | |
|---|---|---|---|
| Priority: | blocker | Milestone: | beta 2.3 |
| Component: | Crypto | Version: | OpenVPN 2.3-beta / 2.3-RC (Community Ed) |
| Severity: | Not set (select this one, unless your'e a OpenVPN developer) | Keywords: | polarssl havege |
| Cc: | andj |
Description
In order to enable PolarSSL v.1.1.1 support for openvpn-2.3-alpha1, all functions containing the instruction 'havege_rand' should be changed to 'havege_random'
The Fortress Linux security team.
https://www.fortresslinux.org
Change History (5)
comment:1 Changed 12 years ago by
comment:2 Changed 12 years ago by
Thanks, the first patch worked. Though the involvement of FOX-IT in OpenVPN may raise some supposition:
comment:4 Changed 12 years ago by
| Cc: | andj added |
|---|---|
| Keywords: | polarssl havege added; Palatinux PolarSSL v1.1.1 openvpn 2.3 removed |
| Resolution: | → fixed |
| Severity: | Patch Queue: New / awaiting ACK → Not set (if unsure, select this one) |
| Status: | new → closed |
I've replied to the forum thread, in regards to the concerns of the Fox-IT involvement.
When it comes to Havege RNG support, that should be removed from OpenVPN 2.3. OpenVPN 2.3 will require PolarSSL v1.1 or newer, which supports better random generators.
commit 1d92d06dca5ac38990261cb546a766b91fc53f9b
Author: Adriaan de Jong <dejong@fox-it.com>
Date: Mon Apr 2 09:28:05 2012 +0200
Removed support for PolarSSL < 1.1
PolarSSL 1.0 and earlier use only the Havege RNG. Havege is based on timing
certain operations, using the RDTSC instruction. Although this is fine on
bare metal PCs, the RDTSC instruction is virtualised on some virtual
machine implementations. This can result in issues on those virtual
machines. PolarSSL fixes this potential issue by also using platform
entropy.
To ensure that OpenVPN is always built against a decent RNG, PolarSSL <1.1
is therefore no longer supported.
Signed-off-by: Adriaan de Jong <dejong@fox-it.com>
Acked-by: David Sommerseth <davids@redhat.com>
Message-Id: 1333351687-3732-4-git-send-email-dejong@fox-it.com
URL: http://article.gmane.org/gmane.network.openvpn.devel/6211
Signed-off-by: David Sommerseth <davids@redhat.com>
And checking the source code for 2.3_beta1, I see this:
$ git grep havege_rand | wc -l 0 $
If you still feel this is not fully solved, please feel free to re-open this ticket.
comment:5 Changed 12 years ago by
| Milestone: | → beta 2.3 |
|---|
Note: See
TracTickets for help on using
tickets.
Hi! Thanks for the bug report. The issue should be fixed a while ago, but the patches are waiting for the new build system to be included. For reference, please see:
http://article.gmane.org/gmane.network.openvpn.devel/5689
http://article.gmane.org/gmane.network.openvpn.devel/5693
http://article.gmane.org/gmane.network.openvpn.devel/5688