Ability to force the Entropy module to use SHA-256 as its basis

By default the SHA-512 module is used if both are available. On some
systems, SHA-256 is the better choice.

Contributed by: Gergely Budai
This commit is contained in:
Paul Bakker 2014-02-06 15:55:25 +01:00
parent cd6d69a414
commit 2ceda57989
4 changed files with 25 additions and 3 deletions

View file

@ -11,6 +11,8 @@ Features
and CRLs and CRLs
* Single Platform compatilibity layer (for memory / printf / fprintf) * Single Platform compatilibity layer (for memory / printf / fprintf)
* Ability to provide alternate timing implementation * Ability to provide alternate timing implementation
* Ability to force the entropy module to use SHA-256 as its basis
(POLARSSL_ENTROPY_FORCE_SHA256)
Changes Changes
* Deprecated the Memory layer * Deprecated the Memory layer

View file

@ -665,6 +665,22 @@
*/ */
//#define POLARSSL_NO_PLATFORM_ENTROPY //#define POLARSSL_NO_PLATFORM_ENTROPY
/**
* \def POLARSSL_ENTROPY_FORCE_SHA256
*
* Force the entropy accumulator to use a SHA-256 accumulator instead of the
* default SHA-512 based one (if both are available).
*
* Requires: POLARSSL_SHA256_C
*
* On 32-bit systems SHA-256 can be much faster than SHA-512. Use this option
* if you have performance concerns.
*
* This option is only useful if both POLARSSL_SHA256_C and
* POLARSSL_SHA512_C are defined. Otherwise the available hash module is used.
*/
//#define POLARSSL_ENTROPY_FORCE_SHA256
/** /**
* \def POLARSSL_MEMORY_DEBUG * \def POLARSSL_MEMORY_DEBUG
* *
@ -1334,7 +1350,7 @@
* Module: library/entropy.c * Module: library/entropy.c
* Caller: * Caller:
* *
* Requires: POLARSSL_SHA512_C * Requires: POLARSSL_SHA512_C or POLARSSL_SHA256_C
* *
* This module provides a generic entropy pool * This module provides a generic entropy pool
*/ */
@ -2103,6 +2119,10 @@
defined(POLARSSL_CONFIG_OPTIONS) && (CTR_DRBG_ENTROPY_LEN > 32) defined(POLARSSL_CONFIG_OPTIONS) && (CTR_DRBG_ENTROPY_LEN > 32)
#error "CTR_DRBG_ENTROPY_LEN value too high" #error "CTR_DRBG_ENTROPY_LEN value too high"
#endif #endif
#if defined(POLARSSL_ENTROPY_C) && \
defined(POLARSSL_ENTROPY_FORCE_SHA256) && !defined(POLARSSL_SHA256_C)
#error "POLARSSL_ENTROPY_FORCE_SHA256 defined, but not all prerequisites"
#endif
#if defined(POLARSSL_GCM_C) && ( \ #if defined(POLARSSL_GCM_C) && ( \
!defined(POLARSSL_AES_C) && !defined(POLARSSL_CAMELLIA_C) ) !defined(POLARSSL_AES_C) && !defined(POLARSSL_CAMELLIA_C) )

View file

@ -43,7 +43,7 @@
/**< The seed length (counter + AES key) */ /**< The seed length (counter + AES key) */
#if !defined(POLARSSL_CONFIG_OPTIONS) #if !defined(POLARSSL_CONFIG_OPTIONS)
#if defined(POLARSSL_SHA512_C) #if defined(POLARSSL_SHA512_C) && !defined(POLARSSL_ENTROPY_FORCE_SHA256)
#define CTR_DRBG_ENTROPY_LEN 48 /**< Amount of entropy used per seed by default (48 with SHA-512, 32 with SHA-256) */ #define CTR_DRBG_ENTROPY_LEN 48 /**< Amount of entropy used per seed by default (48 with SHA-512, 32 with SHA-256) */
#else #else
#define CTR_DRBG_ENTROPY_LEN 32 /**< Amount of entropy used per seed by default (48 with SHA-512, 32 with SHA-256) */ #define CTR_DRBG_ENTROPY_LEN 32 /**< Amount of entropy used per seed by default (48 with SHA-512, 32 with SHA-256) */

View file

@ -31,7 +31,7 @@
#include "config.h" #include "config.h"
#if defined(POLARSSL_SHA512_C) #if defined(POLARSSL_SHA512_C) && !defined(POLARSSL_FORCE_ENTROPY_SHA256)
#include "sha512.h" #include "sha512.h"
#define POLARSSL_ENTROPY_SHA512_ACCUMULATOR #define POLARSSL_ENTROPY_SHA512_ACCUMULATOR
#else #else