[tor-bugs] #17686 [Tor]: Make our openssl-RNG calling code less scary.
Tor Bug Tracker & Wiki
blackhole at torproject.org
Wed Nov 25 15:30:12 UTC 2015
#17686: Make our openssl-RNG calling code less scary.
------------------------+------------------------------------
Reporter: nickm | Owner:
Type: defect | Status: new
Priority: Medium | Milestone: Tor: 0.2.8.x-final
Component: Tor | Version:
Severity: Normal | Resolution:
Keywords: rng crypto | Actual Points:
Parent ID: | Points:
Sponsor: |
------------------------+------------------------------------
Comment (by yawning):
Signing off on the "not actually a security bug" bit, at least with all 4
of the latest OpenSSL release branches and master.
A few more thoughts, while we're messing with this code (may deserve
separate tickets?):
* `crypto_strongest_rand()` could/should use getrandom/getentropy when
available.
* If we trust in libottery(-lite), we could fold it in and have OpenSSL
use that as the RAND method.
--
Ticket URL: <https://trac.torproject.org/projects/tor/ticket/17686#comment:1>
Tor Bug Tracker & Wiki <https://trac.torproject.org/>
The Tor Project: anonymity online
More information about the tor-bugs
mailing list