[tor-bugs] #10402 [Tor]: Force disable use of RDRAND in OpenSSL when HardwareAccel is enabled
Tor Bug Tracker & Wiki
blackhole at torproject.org
Sat Dec 14 17:36:06 UTC 2013
#10402: Force disable use of RDRAND in OpenSSL when HardwareAccel is enabled
------------------------+-----------------
Reporter: anon | Owner:
Type: defect | Status: new
Priority: major | Milestone:
Component: Tor | Version:
Resolution: | Keywords:
Actual Points: | Parent ID:
Points: |
------------------------+-----------------
Comment (by anon):
Patches updated:
https://peertech.org/dist/tor-0.2.4.19-rdrand-disable.patch
https://peertech.org/dist/tor-0.2.5.1-rdrand-disable.patch
https://peertech.org/dist/tor-latest-rdrand-disable.patch
The diff should look like:
{{{
/* If we are using a version of OpenSSL that supports native RDRAND
make sure that we force disable its use as sole entropy source.
See https://trac.torproject.org/projects/tor/ticket/10402 */
if (SSLeay() > OPENSSL_V_SERIES(1,0,0)) {
t = ENGINE_get_default_RAND();
if (t &&
(strcmp(ENGINE_get_id(t), "rdrand") == 0)) {
log_warn(LD_CRYPTO, "OpenSSL is using RDRAND by default."
" Attempting to force disable.");
ENGINE_unregister_RAND(t);
ENGINE_register_all_complete();
}
}
/* Log, if available, the intersection of the set of algorithms
used by Tor and the set of algorithms available in the engine */
log_engine("RSA", ENGINE_get_default_RSA());
.
.
}}}
And should result in a log like:
{{{
Dec ... [warn] OpenSSL is using RDRAND by default. Attempting to force
disable.
Dec ... [notice] Using OpenSSL engine RSAX engine support [rsax] for RSA
Dec ... [notice] Using default implementation for RAND
.
.
}}}
What you should NOT see is this line: "[notice] Using OpenSSL engine Intel
RDRAND engine [rdrand] for RAND" which is synonymous with EPICFAIL. *grin*
--
Ticket URL: <https://trac.torproject.org/projects/tor/ticket/10402#comment:4>
Tor Bug Tracker & Wiki <https://trac.torproject.org/>
The Tor Project: anonymity online
More information about the tor-bugs
mailing list