lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list] 
Date: Mon, 16 Dec 2013 19:27:34 -0800
From: coderman <coderman@...il.com>
To: cpunks <cypherpunks@...nks.org>, 
 Full Disclosure <full-disclosure@...ts.grok.org.uk>
Subject: Re: RDRAND used directly when default engines
 loaded in openssl-1.0.1-beta1 through openssl-1.0.1e

On Sat, Dec 14, 2013 at 4:33 AM, coderman <coderman@...il.com> wrote:
> ...
> if you are using an application linked with openssl-1.0.1-beta1
> through openssl-1.0.1e you should do one of the following:


updated list with env suggestion:

a.) rebuild your OpenSSL with OPENSSL_NO_RDRAND defined

b.) call ENGINE_unregister_RAND() on "rdrand" engine followed by
ENGINE_register_all_complete() to unregister rdrand as default

c.) set OPENSSL_ia32cap="~0x4000000000000000" in global environment
(this is poor fix)

d.) git pull latest openssl with commit: "Don't use rdrand engine as
default unless explicitly requested." - Dr. Stephen Henson



"what is affected??" - someone

sorry, i am not your distro maintainer.  but the list includes,
potentially (depending on configure opts / runtime / etc):
RHEL 6.5, 7.0
Centos 6.5
Fedora 18,19,rawhide
Ubuntu 12.04, 12.10, 13.04, 13.10, trusty
Debian 7.0, jessie, sid
Gentoo stable&unstable
Knoppix 7.0.5, 7.2.0
Kali 1.0.5
Slackware 14, 14.1, current
... if ssh built with --with-ssl-engine. these all use OpenSSL 1.0.1+.
 (remember both ssh client and server may use engines!)

and other libs, like:
M2Crypto
libpam-sshagent-auth
encfs
... which appear to use OpenSSL default engines.


but really, you should go check your shit.



best regards,


P.S. if anyone is aware of RDRAND engine backports to OpenSSL 1.0.0*
or 0.9.8* in any distros i'd like to know about it!

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ