From 08f06cf49f3e71258bc1a9350de1c297f22e4ec9 Mon Sep 17 00:00:00 2001 From: Paul Bakker Date: Thu, 6 Jun 2013 14:05:26 +0200 Subject: [PATCH] Disabled the HAVEGE random generator by default Rationale: The HAVEGE random generator has too many caveats to be a standard generator that people rely on. The HAVEGE random generator is not suitable for virtualized environments. In addition the HAVEGE random generator is dependent on timing and specific processor traits that cannot be guaranteed by default on compile time. Our advice: only use HAVEGE as an additional random source for your entropy pool, never as your primary source. --- ChangeLog | 3 +++ include/polarssl/config.h | 13 +++++++++++-- 2 files changed, 14 insertions(+), 2 deletions(-) diff --git a/ChangeLog b/ChangeLog index ce8f1d9aa2..53a6095f2f 100644 --- a/ChangeLog +++ b/ChangeLog @@ -1,6 +1,9 @@ PolarSSL ChangeLog = Branch 1.2 +Change + * HAVEGE random generator disabled by default + Bugfix * Secure renegotiation extension should only be sent in case client supports secure renegotiation diff --git a/include/polarssl/config.h b/include/polarssl/config.h index b69bd8cedc..145b99bc11 100644 --- a/include/polarssl/config.h +++ b/include/polarssl/config.h @@ -583,14 +583,23 @@ * * Enable the HAVEGE random generator. * + * Warning: the HAVEGE random generator is not suitable for virtualized + * environments + * + * Warning: the HAVEGE random generator is dependent on timing and specific + * processor traits. It is therefore not advised to use HAVEGE as + * your applications primary random generator or primary entropy pool + * input. As a secondary input to your entropy pool, it IS able add + * the (limited) extra entropy it provides. + * * Module: library/havege.c * Caller: * * Requires: POLARSSL_TIMING_C * - * This module enables the HAVEGE random number generator. - */ + * Uncomment to enable the HAVEGE random generator. #define POLARSSL_HAVEGE_C + */ /** * \def POLARSSL_MD_C