Hi Fabian and Igor, Thanks for your patch! As the Havege random number generator has some known issues on a (limited) set of virtual machines, there's a brand new RNG in PolarSSL. I'm currently working on a more complete support patch for PolarSSL's new RNG.
Instead of calling Havege directly, this patch calls the NIST DRBG which uses both Havege and the platform RNG as entropy sources (/dev/urandom). For the moment, I'd prefer to include that here, instead of these more limited patches. Kind regards, Adriaan > -----Original Message----- > From: fab...@lettink.de [mailto:fab...@lettink.de] On Behalf Of Fabian > Knittel > Sent: dinsdag 28 februari 2012 8:40 > To: Igor Novgorodov > Cc: Adriaan de Jong; openvpn-devel@lists.sourceforge.net > Subject: Re: [Openvpn-devel] [PATCH 01/02] Add support for PolarSSL > 1.1.x branch > > Hi Igor, > > 2012/2/28 Igor Novgorodov <i...@novg.net>: > > On 28.02.2012 1:37, Fabian Knittel wrote: > >> Your patch removes the code that causes havege_init() to only be > >> called once. You never want to initialise your PRNG more than once, > >> otherwise you increase the risk that your randomness is predictable. > >> So please revert that part of your patch. > > > > Yes, my fault. I didn't notice that the variable was static, so i > > though that it was local-scope only and removed the check... The > fixed > > patch is attached > > Thanks! > > >> ([...], although I haven't tested it and don't have any experience > >> with PolarSSL.) > > Maybe Adriaan or someone else can take a quick peek and give a full- > hearted ACK? > > Cheers > Fabian
