Opened 10 years ago

Closed 9 years ago

Last modified 9 years ago

#200 closed Bug / Defect (fixed)

PolarSSL v1.1.1 support

Reported by: palatinux Owned by:
Priority: blocker Milestone: beta 2.3
Component: Crypto Version: OpenVPN 2.3-beta / 2.3-RC (Community Ed)
Severity: Not set (select this one, unless your'e a OpenVPN developer) Keywords: polarssl havege
Cc: andj

Description

In order to enable PolarSSL v.1.1.1 support for openvpn-2.3-alpha1, all functions containing the instruction 'havege_rand' should be changed to 'havege_random'

The Fortress Linux security team.
https://www.fortresslinux.org

Change History (5)

comment:1 Changed 10 years ago by andj

Hi! Thanks for the bug report. The issue should be fixed a while ago, but the patches are waiting for the new build system to be included. For reference, please see:

http://article.gmane.org/gmane.network.openvpn.devel/5689
http://article.gmane.org/gmane.network.openvpn.devel/5693
http://article.gmane.org/gmane.network.openvpn.devel/5688

comment:2 Changed 10 years ago by Palatinux

Thanks, the first patch worked. Though the involvement of FOX-IT in OpenVPN may raise some supposition:

https://forums.openvpn.net/topic10180.html

comment:3 Changed 10 years ago by Palatinux

Sorry, I meant suspicion.

comment:4 Changed 9 years ago by David Sommerseth

Cc: andj added
Keywords: polarssl havege added; Palatinux PolarSSL v1.1.1 openvpn 2.3 removed
Resolution: fixed
Severity: Patch Queue: New / awaiting ACKNot set (if unsure, select this one)
Status: newclosed

I've replied to the forum thread, in regards to the concerns of the Fox-IT involvement.

When it comes to Havege RNG support, that should be removed from OpenVPN 2.3. OpenVPN 2.3 will require PolarSSL v1.1 or newer, which supports better random generators.

commit 1d92d06dca5ac38990261cb546a766b91fc53f9b
Author: Adriaan de Jong <dejong@fox-it.com>
Date:   Mon Apr 2 09:28:05 2012 +0200

    Removed support for PolarSSL < 1.1
    
    PolarSSL 1.0 and earlier use only the Havege RNG. Havege is based on timing
    certain operations, using the RDTSC instruction. Although this is fine on
    bare metal PCs, the RDTSC instruction is virtualised on some virtual
    machine implementations. This can result in issues on those virtual
    machines. PolarSSL fixes this potential issue by also using platform
    entropy.
    
    To ensure that OpenVPN is always built against a decent RNG, PolarSSL <1.1
    is therefore no longer supported.
    
    Signed-off-by: Adriaan de Jong <dejong@fox-it.com>
    Acked-by: David Sommerseth <davids@redhat.com>
    Message-Id: 1333351687-3732-4-git-send-email-dejong@fox-it.com
    URL: http://article.gmane.org/gmane.network.openvpn.devel/6211
    Signed-off-by: David Sommerseth <davids@redhat.com>

And checking the source code for 2.3_beta1, I see this:

$ git grep havege_rand | wc -l
0
$

If you still feel this is not fully solved, please feel free to re-open this ticket.

comment:5 Changed 9 years ago by David Sommerseth

Milestone: beta 2.3
Note: See TracTickets for help on using tickets.