diff --git a/ChangeLog b/ChangeLog index baf67fee3..2e2ecb87a 100644 --- a/ChangeLog +++ b/ChangeLog @@ -11,6 +11,8 @@ Features and CRLs * Single Platform compatilibity layer (for memory / printf / fprintf) * Ability to provide alternate timing implementation + * Ability to force the entropy module to use SHA-256 as its basis + (POLARSSL_ENTROPY_FORCE_SHA256) Changes * Deprecated the Memory layer diff --git a/include/polarssl/config.h b/include/polarssl/config.h index 5c36ae6b3..db34e6a29 100644 --- a/include/polarssl/config.h +++ b/include/polarssl/config.h @@ -665,6 +665,22 @@ */ //#define POLARSSL_NO_PLATFORM_ENTROPY +/** + * \def POLARSSL_ENTROPY_FORCE_SHA256 + * + * Force the entropy accumulator to use a SHA-256 accumulator instead of the + * default SHA-512 based one (if both are available). + * + * Requires: POLARSSL_SHA256_C + * + * On 32-bit systems SHA-256 can be much faster than SHA-512. Use this option + * if you have performance concerns. + * + * This option is only useful if both POLARSSL_SHA256_C and + * POLARSSL_SHA512_C are defined. Otherwise the available hash module is used. + */ +//#define POLARSSL_ENTROPY_FORCE_SHA256 + /** * \def POLARSSL_MEMORY_DEBUG * @@ -1334,7 +1350,7 @@ * Module: library/entropy.c * Caller: * - * Requires: POLARSSL_SHA512_C + * Requires: POLARSSL_SHA512_C or POLARSSL_SHA256_C * * This module provides a generic entropy pool */ @@ -2103,6 +2119,10 @@ defined(POLARSSL_CONFIG_OPTIONS) && (CTR_DRBG_ENTROPY_LEN > 32) #error "CTR_DRBG_ENTROPY_LEN value too high" #endif +#if defined(POLARSSL_ENTROPY_C) && \ + defined(POLARSSL_ENTROPY_FORCE_SHA256) && !defined(POLARSSL_SHA256_C) +#error "POLARSSL_ENTROPY_FORCE_SHA256 defined, but not all prerequisites" +#endif #if defined(POLARSSL_GCM_C) && ( \ !defined(POLARSSL_AES_C) && !defined(POLARSSL_CAMELLIA_C) ) diff --git a/include/polarssl/ctr_drbg.h b/include/polarssl/ctr_drbg.h index 756b5a326..8b0f38a15 100644 --- a/include/polarssl/ctr_drbg.h +++ b/include/polarssl/ctr_drbg.h @@ -43,7 +43,7 @@ /**< The seed length (counter + AES key) */ #if !defined(POLARSSL_CONFIG_OPTIONS) -#if defined(POLARSSL_SHA512_C) +#if defined(POLARSSL_SHA512_C) && !defined(POLARSSL_ENTROPY_FORCE_SHA256) #define CTR_DRBG_ENTROPY_LEN 48 /**< Amount of entropy used per seed by default (48 with SHA-512, 32 with SHA-256) */ #else #define CTR_DRBG_ENTROPY_LEN 32 /**< Amount of entropy used per seed by default (48 with SHA-512, 32 with SHA-256) */ diff --git a/include/polarssl/entropy.h b/include/polarssl/entropy.h index 2b824ef6d..c4d49556f 100644 --- a/include/polarssl/entropy.h +++ b/include/polarssl/entropy.h @@ -31,7 +31,7 @@ #include "config.h" -#if defined(POLARSSL_SHA512_C) +#if defined(POLARSSL_SHA512_C) && !defined(POLARSSL_FORCE_ENTROPY_SHA256) #include "sha512.h" #define POLARSSL_ENTROPY_SHA512_ACCUMULATOR #else