Full Disclosure mailing list archives
Re: RDRAND used directly when default engines loaded in openssl-1.0.1-beta1 through openssl-1.0.1e
From: coderman <coderman () gmail com>
Date: Sat, 14 Dec 2013 09:25:49 -0800
On Sat, Dec 14, 2013 at 4:33 AM, coderman <coderman () gmail com> wrote:
... if you are using an application linked with openssl-1.0.1-beta1 through openssl-1.0.1e you should do one of the following: ... b.) call RAND_set_rand_engine(NULL) after ENGINE_load_builtin_engines().
correction:
this won't leave you vulnerable, but it will crash your app. not
broken convention:
/* If we are using a version of OpenSSL that supports native RDRAND
make sure that we force disable its use as sole entropy source.
See https://trac.torproject.org/projects/tor/ticket/10402 */
if (SSLeay() > OPENSSL_V_SERIES(1,0,0)) {
t = ENGINE_get_default_RAND();
if (t &&
(strcmp(ENGINE_get_id(t), "rdrand") == 0)) {
log_warn(LD_CRYPTO, "OpenSSL is using RDRAND by default."
" Attempting to force disable.");
ENGINE_unregister_RAND(t);
ENGINE_register_all_complete();
}
}
see https://peertech.org/dist/tor-latest-rdrand-disable.patch
best regards,
_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/
Current thread:
- RDRAND used directly when default engines loaded in openssl-1.0.1-beta1 through openssl-1.0.1e coderman (Dec 14)
- Message not available
- Re: RDRAND used directly when default engines loaded in openssl-1.0.1-beta1 through openssl-1.0.1e coderman (Dec 14)
- Re: RDRAND used directly when default engines loaded in openssl-1.0.1-beta1 through openssl-1.0.1e coderman (Dec 16)