| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Message-ID: <CAJVRA1RbpJWtaU0i87BOqXzNcrMDe+uzEsJFGxOe5x=4b3e+Fg@mail.gmail.com> Date: Fri, 20 Dec 2013 04:32:33 -0800 From: coderman <coderman@...il.com> To: cpunks <cypherpunks@...nks.org>, Full Disclosure <full-disclosure@...ts.grok.org.uk> Subject: Re: RDRAND used directly when default engines loaded in openssl-1.0.1-beta1 through openssl-1.0.1e On Mon, Dec 16, 2013 at 7:27 PM, coderman <coderman@...il.com> wrote: > ... > "what is affected??" fortunately impacts are less than anticipated! nickm devised most concise fix: RAND_set_rand_method(RAND_SSLeay()); always after ENGINE_load_builtin_engines(). https://gitweb.torproject.org/tor.git/commitdiff/7b87003957530427eadce36ed03b4645b481a335 --- full write up is here including a BADRAND engine patch for testing: https://peertech.org/goodrand --- last but not least, notable omissions on NSA role in reqs for random number sources in Appendix E: US Government Role in Current Encryption Standards.: http://cryptome.org/2013/12/nsa-usg-crypto-role.pdf can we get a do-over? _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Powered by blists - more mailing lists