Attention is currently required from: plaisthos.
Hello plaisthos,
I'd like you to do a code review.
Please visit
http://gerrit.openvpn.net/c/openvpn/+/1530?usp=email
to review the following change.
Change subject: Mbed TLS 3: Remove prediction resistance option
......................................................................
Mbed TLS 3: Remove prediction resistance option
The option --use-prediction-resistance causes the random number
generator to be reseeded for every call. This is excessive.
This commit removes that option.
Change-Id: I6298795f140c2c62252638f9e0cd6df19cb3d7ed
Signed-off-by: Max Fillinger <[email protected]>
---
M doc/man-sections/generic-options.rst
M src/openvpn/crypto_mbedtls_legacy.c
M src/openvpn/crypto_mbedtls_legacy.h
M src/openvpn/init.c
M src/openvpn/options.c
M src/openvpn/options.h
M src/openvpn/syshead.h
7 files changed, 0 insertions(+), 69 deletions(-)
git pull ssh://gerrit.openvpn.net:29418/openvpn refs/changes/30/1530/1
diff --git a/doc/man-sections/generic-options.rst
b/doc/man-sections/generic-options.rst
index ed581b1..f46dfec 100644
--- a/doc/man-sections/generic-options.rst
+++ b/doc/man-sections/generic-options.rst
@@ -462,16 +462,6 @@
success/failure via :code:`auth_control_file` when using deferred auth
method and pending authentication via :code:`auth_pending_file`.
---use-prediction-resistance
- Enable prediction resistance on mbed TLS's RNG.
-
- Enabling prediction resistance causes the RNG to reseed in each call for
- random. Reseeding this often can quickly deplete the kernel entropy
- pool.
-
- If you need this option, please consider running a daemon that adds
- entropy to the kernel pool.
-
--user user
Change the user ID of the OpenVPN process to ``user`` after
initialization, dropping privileges in the process. This option is
diff --git a/src/openvpn/crypto_mbedtls_legacy.c
b/src/openvpn/crypto_mbedtls_legacy.c
index a991349..b8e7d6a 100644
--- a/src/openvpn/crypto_mbedtls_legacy.c
+++ b/src/openvpn/crypto_mbedtls_legacy.c
@@ -366,16 +366,6 @@
return &cd_ctx;
}
-#ifdef ENABLE_PREDICTION_RESISTANCE
-void
-rand_ctx_enable_prediction_resistance(void)
-{
- mbedtls_ctr_drbg_context *cd_ctx = rand_ctx_get();
-
- mbedtls_ctr_drbg_set_prediction_resistance(cd_ctx, 1);
-}
-#endif /* ENABLE_PREDICTION_RESISTANCE */
-
int
rand_bytes(uint8_t *output, int len)
{
diff --git a/src/openvpn/crypto_mbedtls_legacy.h
b/src/openvpn/crypto_mbedtls_legacy.h
index af71037..1005057 100644
--- a/src/openvpn/crypto_mbedtls_legacy.h
+++ b/src/openvpn/crypto_mbedtls_legacy.h
@@ -89,14 +89,6 @@
*/
mbedtls_ctr_drbg_context *rand_ctx_get(void);
-#ifdef ENABLE_PREDICTION_RESISTANCE
-/**
- * Enable prediction resistance on the random number generator.
- */
-void rand_ctx_enable_prediction_resistance(void);
-
-#endif
-
/**
* Log the supplied mbed TLS error, prefixed by supplied prefix.
*
diff --git a/src/openvpn/init.c b/src/openvpn/init.c
index 70c0b5d..1391aa85 100644
--- a/src/openvpn/init.c
+++ b/src/openvpn/init.c
@@ -2989,13 +2989,6 @@
packet_id_persist_load(&c->c1.pid_persist,
c->options.packet_id_file);
}
}
-
-#ifdef ENABLE_PREDICTION_RESISTANCE
- if (c->options.use_prediction_resistance)
- {
- rand_ctx_enable_prediction_resistance();
- }
-#endif
}
diff --git a/src/openvpn/options.c b/src/openvpn/options.c
index 2bca647..51b4252 100644
--- a/src/openvpn/options.c
+++ b/src/openvpn/options.c
@@ -566,10 +566,6 @@
" using file.\n"
"--test-crypto : Run a self-test of crypto features enabled.\n"
" For debugging only.\n"
-#ifdef ENABLE_PREDICTION_RESISTANCE
- "--use-prediction-resistance: Enable prediction resistance on the random\n"
- " number generator.\n"
-#endif
"\n"
"TLS Key Negotiation Options:\n"
"(These options are meaningful only for TLS-mode)\n"
@@ -872,9 +868,6 @@
o->replay_window = DEFAULT_SEQ_BACKTRACK;
o->replay_time = DEFAULT_TIME_BACKTRACK;
o->key_direction = KEY_DIRECTION_BIDIRECTIONAL;
-#ifdef ENABLE_PREDICTION_RESISTANCE
- o->use_prediction_resistance = false;
-#endif
o->tls_timeout = 2;
o->renegotiate_bytes = -1;
o->renegotiate_seconds = 3600;
@@ -1841,9 +1834,6 @@
SHOW_INT(replay_time);
SHOW_STR(packet_id_file);
SHOW_BOOL(test_crypto);
-#ifdef ENABLE_PREDICTION_RESISTANCE
- SHOW_BOOL(use_prediction_resistance);
-#endif
SHOW_BOOL(tls_server);
SHOW_BOOL(tls_client);
@@ -4476,13 +4466,6 @@
{
buf_printf(&out, ",secret");
}
-
-#ifdef ENABLE_PREDICTION_RESISTANCE
- if (o->use_prediction_resistance)
- {
- buf_printf(&out, ",use-prediction-resistance");
- }
-#endif
}
/*
@@ -8543,13 +8526,6 @@
options->providers.names[j] = p[j];
}
}
-#ifdef ENABLE_PREDICTION_RESISTANCE
- else if (streq(p[0], "use-prediction-resistance") && !p[1])
- {
- VERIFY_PERMISSION(OPT_P_GENERAL);
- options->use_prediction_resistance = true;
- }
-#endif
else if (streq(p[0], "show-tls") && !p[1])
{
VERIFY_PERMISSION(OPT_P_GENERAL);
diff --git a/src/openvpn/options.h b/src/openvpn/options.h
index 16cfdb5..cf9936b 100644
--- a/src/openvpn/options.h
+++ b/src/openvpn/options.h
@@ -584,9 +584,6 @@
int replay_time;
const char *packet_id_file;
bool test_crypto;
-#ifdef ENABLE_PREDICTION_RESISTANCE
- bool use_prediction_resistance;
-#endif
/* TLS (control channel) parms */
bool tls_server;
diff --git a/src/openvpn/syshead.h b/src/openvpn/syshead.h
index 582e130..7e742b3 100644
--- a/src/openvpn/syshead.h
+++ b/src/openvpn/syshead.h
@@ -474,13 +474,6 @@
#define PORT_SHARE 0
#endif
-#ifdef ENABLE_CRYPTO_MBEDTLS
-#include <mbedtls/version.h>
-#if MBEDTLS_VERSION_NUMBER < 0x04000000
-#define ENABLE_PREDICTION_RESISTANCE
-#endif /* MBEDTLS_VERSION_NUMBER < 0x04000000 */
-#endif /* ENABLE_CRYPTO_MBEDTLS */
-
/*
* Do we support Unix domain sockets?
*/
--
To view, visit http://gerrit.openvpn.net/c/openvpn/+/1530?usp=email
To unsubscribe, or for help writing mail filters, visit
http://gerrit.openvpn.net/settings?usp=email
Gerrit-MessageType: newchange
Gerrit-Project: openvpn
Gerrit-Branch: master
Gerrit-Change-Id: I6298795f140c2c62252638f9e0cd6df19cb3d7ed
Gerrit-Change-Number: 1530
Gerrit-PatchSet: 1
Gerrit-Owner: MaxF <[email protected]>
Gerrit-Reviewer: plaisthos <[email protected]>
Gerrit-CC: openvpn-devel <[email protected]>
Gerrit-Attention: plaisthos <[email protected]>
_______________________________________________
Openvpn-devel mailing list
[email protected]
https://lists.sourceforge.net/lists/listinfo/openvpn-devel
