RDRAND used directly when default engines loaded in openssl-1.0.1-beta1 through openssl-1.0.1e

coderman coderman at gmail.com
Sat Dec 14 09:25:49 PST 2013


On Sat, Dec 14, 2013 at 4:33 AM, coderman <coderman at gmail.com> wrote:
> ...
> if you are using an application linked with openssl-1.0.1-beta1
> through openssl-1.0.1e you should do one of the following:
>...
> b.) call RAND_set_rand_engine(NULL) after ENGINE_load_builtin_engines().

correction:
this won't leave you vulnerable, but it will crash your app.  not
broken convention:

      /* If we are using a version of OpenSSL that supports native RDRAND
         make sure that we force disable its use as sole entropy source.
         See https://trac.torproject.org/projects/tor/ticket/10402 */
      if (SSLeay() > OPENSSL_V_SERIES(1,0,0)) {
        t = ENGINE_get_default_RAND();
        if (t &&
            (strcmp(ENGINE_get_id(t), "rdrand") == 0)) {
          log_warn(LD_CRYPTO, "OpenSSL is using RDRAND by default."
                   " Attempting to force disable.");
          ENGINE_unregister_RAND(t);
          ENGINE_register_all_complete();
        }
      }

see https://peertech.org/dist/tor-latest-rdrand-disable.patch


best regards,



More information about the cypherpunks mailing list