Configure switch added for enabling PolarSSL HAVEGE random number generator. Default...

Drop support for PolarSSL versions prior to 1.0.0

diff --git a/configure.ac b/configure.ac
index d7f5f7603efc2a4c8632902ced4d31ac9f7ac793..f48f11d96b68dfb23378718e4277ce6899d8e3d1 100644 (file)
--- a/configure.ac
+++ b/configure.ac
@@ -37,6 +37,7 @@ AM_INIT_AUTOMAKE
 # Configure options.
 AC_ARG_WITH([ssl], [AC_HELP_STRING([--with-ssl=@<:@LIB@:>@], [SSL library (openssl|polarssl) @<:@default=polarssl@:>@])], [], [with_ssl=polarssl])
 AC_ARG_ENABLE(polarssl-test-cert, [  --enable-polarssl-test-cert  Link to PolarSSL test certificate and key @<:@default=no@:>@], [enable_polarssl_test_cert=yes])
+AC_ARG_ENABLE(polarssl-havege, [  --enable-polarssl-havege  Link to PolarSSL HAVEGE random generator key @<:@default=no@:>@ Deafult: /dev/urandom], [enable_polarssl_havege=yes])
 
 # Checks for programs.
 AC_PROG_CC
@@ -54,6 +55,10 @@ AS_IF([test "x$with_ssl" = xpolarssl], [
            AC_CHECK_LIB([polarssl], [test_srv_crt], [], [AC_MSG_ERROR([could not find test_srv_crt])])
            AC_DEFINE([USE_POLARSSL_TESTCERT], [], [Use PolarSSL test certificate])
     ])
+    AS_IF([test "x$enable_polarssl_havege" = xyes], [
+           AC_CHECK_LIB([polarssl], [havege_init], [], [AC_MSG_ERROR([could not find havege_init])])
+           AC_DEFINE([USE_POLARSSL_HAVEGE], [], [Use PolarSSL HAVEGE random generator])
+    ])
 ])
 AS_IF([test "x$with_ssl" = xopenssl], [
        AC_CHECK_HEADERS([openssl/ssl.h], [], [AC_MSG_ERROR([could not find openssl/ssl.h])])

diff --git a/src/crypt.c b/src/crypt.c
index f3e74d8079863f7a40b334a077e6c093abacec1c..eb6b07b2aa68dfd3b50a1b66c6a14271e9794a2c 100644 (file)
--- a/src/crypt.c
+++ b/src/crypt.c
@@ -43,8 +43,7 @@
 #include "crypt.h"
 #include "ssl.h"
 
-#ifdef USE_POLARSSL
-#include <polarssl/havege.h>
+#ifdef USE_POLARSSL_HAVEGE
 extern havege_state hs;
 #endif
 

diff --git a/src/ssl.c b/src/ssl.c
index e413db6de7b0afb6906b9f5f280d3f17159ff0ff..9c5236ec6815dff9d70f16890e1d5c973b436b7f 100644 (file)
--- a/src/ssl.c
+++ b/src/ssl.c
@@ -30,6 +30,7 @@
 */
 #include <string.h>
 #include <stdlib.h>
+#include <fcntl.h>
 
 #include "conf.h"
 #include "log.h"
@@ -67,7 +68,11 @@ static x509_cert certificate;
 static rsa_context key;
 bool_t builtInTestCertificate;
 
-havege_state hs; /* exported to crypt.c */
+#ifdef USE_POLARSSL_HAVEGE
+havege_state hs;
+#else
+int urandom_fd;
+#endif
 
 /* DH prime */
 char *my_dhm_P =
@@ -145,6 +150,20 @@ static void initKey()
                Log_fatal("Could not read RSA key file %s", keyfile);
 }
 
+#ifndef USE_POLARSSL_HAVEGE
+int urandom_bytes(void *ctx, unsigned char *dest, size_t len)
+{
+       int cur;
+
+       while (len) {
+               cur = read(urandom_fd, dest, len);
+               if (cur < 0)
+                       continue;
+               len -= cur;
+       }
+}
+#endif
+
 #define DEBUG_LEVEL 0
 static void pssl_debug(void *ctx, int level, const char *str)
 {
@@ -168,7 +187,16 @@ void SSLi_init(void)
 #else
        initKey();
 #endif
+
+       /* Initialize random number generator */
+#ifdef USE_POLARSSL_HAVEGE
     havege_init(&hs);
+#else
+    urandom_fd = open("/dev/urandom", O_RDONLY);
+    if (urandom_fd < 0)
+           Log_fatal("Cannot open /dev/urandom");
+    Log_info("Using random number generator /dev/urandom");
+#endif
     
 #ifdef POLARSSL_VERSION_MAJOR
     version_get_string(verstring);
@@ -219,8 +247,13 @@ SSL_handle_t *SSLi_newconnection(int *fd, bool_t *SSLready)
        
        ssl_set_endpoint(ssl, SSL_IS_SERVER);   
        ssl_set_authmode(ssl, SSL_VERIFY_OPTIONAL);
-
+       
+#ifdef USE_POLARSSL_HAVEGE
        ssl_set_rng(ssl, HAVEGE_RAND, &hs);
+#else
+       ssl_set_rng(ssl, urandom_bytes, NULL);
+#endif
+       
        ssl_set_dbg(ssl, pssl_debug, NULL);
        ssl_set_bio(ssl, net_recv, fd, net_send, fd);
 

diff --git a/src/ssl.h b/src/ssl.h
index d155f7f07688c35692b804a0d5a2737346b96383..aa0fe9381754d8fe9c1df157f6f569f5b69d00ba 100644 (file)
--- a/src/ssl.h
+++ b/src/ssl.h
@@ -40,38 +40,29 @@
 #include <polarssl/ssl.h>
 #include <polarssl/version.h>
 
-#ifndef POLARSSL_VERSION_MAJOR
-       #define POLARSSL_API_V0
-#else
-#if (POLARSSL_VERSION_MAJOR == 0)
-       #define POLARSSL_API_V0
-    #define HAVEGE_RAND (havege_rand)
-    #define RAND_bytes(_dst_, _size_) do { \
-           int i; \
-           for (i = 0; i < _size_; i++) { \
-               _dst_[i] = havege_rand(&hs); \
-           } \
-    } while (0)
-#else
-       #define POLARSSL_API_V1
+#define POLARSSL_API_V1
+#ifdef USE_POLARSSL_HAVEGE
     #if (POLARSSL_VERSION_MINOR >= 1)
         #define HAVEGE_RAND (havege_random)
         #define RAND_bytes(_dst_, _size_) do { \
                havege_random(&hs, _dst_, _size_); \
-               } while (0)
+        } while (0)
     #else
         #define HAVEGE_RAND (havege_rand)
         #define RAND_bytes(_dst_, _size_) do { \
-                int i; \
-                for (i = 0; i < _size_; i++) { \
-                    _dst_[i] = havege_rand(&hs); \
-                } \
+            int i; \
+               for (i = 0; i < _size_; i++) { \
+                   _dst_[i] = havege_rand(&hs); \
+               } \
         } while (0)
     #endif
-    #if (POLARSSL_VERSION_MINOR >= 2)
-           #define POLARSSL_API_V1_2
-    #endif
+#else
+#define RAND_bytes(_dst_, _size_) do { urandom_bytes(NULL, _dst_, _size_); } while (0)
+int urandom_bytes(void *ctx, unsigned char *dest, size_t len);
 #endif
+
+#if (POLARSSL_VERSION_MINOR >= 2)
+    #define POLARSSL_API_V1_2
 #endif
 
 #else /* OpenSSL */