lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
Open Source and information security mailing list archives
| ||
|
Message-ID: <CAJVRA1SdJoG1gh-hkT9CHaYwUkWWUUYeX=X=uefAYMdxwsdXxA@mail.gmail.com> Date: Sat, 14 Dec 2013 09:25:49 -0800 From: coderman <coderman@...il.com> To: cpunks <cypherpunks@...nks.org>, Full Disclosure <full-disclosure@...ts.grok.org.uk> Subject: Re: RDRAND used directly when default engines loaded in openssl-1.0.1-beta1 through openssl-1.0.1e On Sat, Dec 14, 2013 at 4:33 AM, coderman <coderman@...il.com> wrote: > ... > if you are using an application linked with openssl-1.0.1-beta1 > through openssl-1.0.1e you should do one of the following: >... > b.) call RAND_set_rand_engine(NULL) after ENGINE_load_builtin_engines(). correction: this won't leave you vulnerable, but it will crash your app. not broken convention: /* If we are using a version of OpenSSL that supports native RDRAND make sure that we force disable its use as sole entropy source. See https://trac.torproject.org/projects/tor/ticket/10402 */ if (SSLeay() > OPENSSL_V_SERIES(1,0,0)) { t = ENGINE_get_default_RAND(); if (t && (strcmp(ENGINE_get_id(t), "rdrand") == 0)) { log_warn(LD_CRYPTO, "OpenSSL is using RDRAND by default." " Attempting to force disable."); ENGINE_unregister_RAND(t); ENGINE_register_all_complete(); } } see https://peertech.org/dist/tor-latest-rdrand-disable.patch best regards, _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Powered by blists - more mailing lists