[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [Full-disclosure] RDRAND used directly when default engines loaded in openssl-1.0.1-beta1 through openssl-1.0.1e

To: cpunks <cypherpunks@xxxxxxxxxx>, Full Disclosure <full-disclosure@xxxxxxxxxxxxxxxxx>
Subject: Re: [Full-disclosure] RDRAND used directly when default engines loaded in openssl-1.0.1-beta1 through openssl-1.0.1e
From: coderman <coderman@xxxxxxxxx>
Date: Fri, 20 Dec 2013 04:32:33 -0800

On Mon, Dec 16, 2013 at 7:27 PM, coderman <coderman@xxxxxxxxx> wrote:
> ...
> "what is affected??"

fortunately impacts are less than anticipated!

nickm devised most concise fix: RAND_set_rand_method(RAND_SSLeay());
 always after ENGINE_load_builtin_engines().
https://gitweb.torproject.org/tor.git/commitdiff/7b87003957530427eadce36ed03b4645b481a335

---

full write up is here including a BADRAND engine patch for testing:
  https://peertech.org/goodrand

---

last but not least, notable omissions on NSA role in reqs for random
number sources in Appendix E: US Government Role in Current Encryption
Standards.:
  http://cryptome.org/2013/12/nsa-usg-crypto-role.pdf

can we get a do-over?

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

References:
- [Full-disclosure] RDRAND used directly when default engines loaded in openssl-1.0.1-beta1 through openssl-1.0.1e
  - From: coderman
- Re: [Full-disclosure] RDRAND used directly when default engines loaded in openssl-1.0.1-beta1 through openssl-1.0.1e
  - From: coderman

Prev by Date: [Full-disclosure] Synology DSM multiple directory traversal
Next by Date: [Full-disclosure] [ MDVSA-2013:296 ] wireshark
Previous by thread: Re: [Full-disclosure] RDRAND used directly when default engines loaded in openssl-1.0.1-beta1 through openssl-1.0.1e
Next by thread: [Full-disclosure] cryptographic flaws in IBM SPSS data file encryption
Index(es):
- Date
- Thread