From 1fd0e055bee390d746072650a53e00c30f76e7d7 Mon Sep 17 00:00:00 2001 From: Paul Bakker Date: Wed, 19 Jun 2013 12:05:04 +0200 Subject: [PATCH] Disabled the HAVEGE random generator by default Rationale: The HAVEGE random generator has too many caveats to be a standard generator that people rely on. The HAVEGE random generator is not suitable for virtualized environments. In addition the HAVEGE random generator is dependent on timing and specific processor traits that cannot be guaranteed by default on compile time. Our advice: only use HAVEGE as an additional random source for your entropy pool, never as your primary source. (cherry picked from commit 08f06cf49f3e71258bc1a9350de1c297f22e4ec9) Conflicts: ChangeLog --- ChangeLog | 4 ++++ include/polarssl/config.h | 13 +++++++++++-- 2 files changed, 15 insertions(+), 2 deletions(-) diff --git a/ChangeLog b/ChangeLog index 767764f6e..56187899a 100644 --- a/ChangeLog +++ b/ChangeLog @@ -1,5 +1,9 @@ PolarSSL ChangeLog += Branch 1.1 +Changes + * HAVEGE random generator disabled by default + = Version 1.1.6 released on 2013-03-11 Bugfix * Fixed net_bind() for specified IP addresses on little endian systems diff --git a/include/polarssl/config.h b/include/polarssl/config.h index 3f539fe07..887e0fafb 100644 --- a/include/polarssl/config.h +++ b/include/polarssl/config.h @@ -452,14 +452,23 @@ * * Enable the HAVEGE random generator. * + * Warning: the HAVEGE random generator is not suitable for virtualized + * environments + * + * Warning: the HAVEGE random generator is dependent on timing and specific + * processor traits. It is therefore not advised to use HAVEGE as + * your applications primary random generator or primary entropy pool + * input. As a secondary input to your entropy pool, it IS able add + * the (limited) extra entropy it provides. + * * Module: library/havege.c * Caller: * * Requires: POLARSSL_TIMING_C * - * This module enables the HAVEGE random number generator. - */ + * Uncomment to enable the HAVEGE random generator. #define POLARSSL_HAVEGE_C + */ /** * \def POLARSSL_MD_C