[Author Prev][Author Next][Thread Prev][Thread Next][Author Index][Thread Index]

[tor-talk] Help testing patch on SandyBridge/IvyBridge? Force disable use of RDRAND in OpenSSL when HardwareAccel is enabled

To: tor-talk@xxxxxxxxxxxxxxxxxxxx
Subject: [tor-talk] Help testing patch on SandyBridge/IvyBridge? Force disable use of RDRAND in OpenSSL when HardwareAccel is enabled
From: coderman <coderman@xxxxxxxxx>
Date: Sat, 14 Dec 2013 06:14:27 -0800
Delivered-to: archiver@xxxxxxxx
Delivery-date: Sat, 14 Dec 2013 09:26:25 -0500
Dkim-signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113; h=mime-version:date:message-id:subject:from:to:content-type; bh=ks+xFTcUqZlpOMQWA4BDYs1SgwFykExy9zyN80lHkbQ=; b=m3BB97Ng5drmDqoSRDdsdb3mPD9HIwykKmb24yuwb3hyU2WKhROoa3AmAziYZWKGxp ddT+1aFoyWysn9zMrTHL0l9fwwn8k04xXJzxhZT//8KjqhO5eDoBWI8iUofIQ0Dut6lL 3TjjW5tAS4p6IdOH4gbAu6WoG6EUDt/Ju5YgBAWrtiFqVUrzAQG7LCALkMS4o0Oz7PBR e2OWBli0f3WhnCmAWUWhlb0w/JQgLGg6ivRyB6QUHRvgMl0d5a94wob6/ZUGxV+TV6Ef RdvXQbwHBXugTBDyhZkXn1DeSWrT4/2eSYJpLU6f5U/9e20u9qVbswLil1ZTecGTZ8y0 lV+Q==
List-archive: <http://lists.torproject.org/pipermail/tor-talk/>
List-help: <mailto:tor-talk-request@lists.torproject.org?subject=help>
List-id: "all discussion about theory, design, and development of Onion Routing" <tor-talk.lists.torproject.org>
List-post: <mailto:tor-talk@lists.torproject.org>
List-subscribe: <https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-talk>, <mailto:tor-talk-request@lists.torproject.org?subject=subscribe>
List-unsubscribe: <https://lists.torproject.org/cgi-bin/mailman/options/tor-talk>, <mailto:tor-talk-request@lists.torproject.org?subject=unsubscribe>
Reply-to: tor-talk@xxxxxxxxxxxxxxxxxxxx
Sender: "tor-talk" <tor-talk-bounces@xxxxxxxxxxxxxxxxxxxx>

this is logged as trac ticket:
  https://trac.torproject.org/projects/tor/ticket/10402


FreeBSD project announced RDRAND not to be used directly, with OpenSSL
following guidance.[0][1][2]

IF?
  you are using a Tor built against openssl-1.0.1-beta1 through openssl-1.0.1e
AND+
  you have set HardwareAccel 1
THEN:
  you should implement one of the remedies below!


help coderman test mitigation patch:
  https://peertech.org/dist/tor-0.2.4.19-rdrand-disable.patch
  https://peertech.org/dist/tor-0.2.5.1-rdrand-disable.patch
  https://peertech.org/dist/tor-latest-rdrand-disable.patch
if on Sandy Bridge, Ivy Bridge, other Intel CPU with RDRAND.


OTHER mitigation:
- re-build your OpenSSL with OPENSSL_NO_RDRAND defined
- re-build your Tor with DISABLE_ENGINES defined
- update to latest git openssl or cherry pick commit: "Don't use
rdrand engine as default unless explicitly requested." - Dr. Stephen
Henson


best regards,



0. "FreeBSD Developer Summit: Security Working Group, /dev/random"
  https://wiki.freebsd.org/201309DevSummit/Security

1. "Surreptitiously Tampering with Computer Chips"
  https://www.schneier.com/blog/archives/2013/09/surreptitiously.html

2. "How does the NSA break SSL? ... Weak random number generators"
  http://blog.cryptographyengineering.com/2013/12/how-does-nsa-break-ssl.html
-- 
tor-talk mailing list - tor-talk@xxxxxxxxxxxxxxxxxxxx
To unsubscribe or change other settings go to
https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-talk

Follow-Ups:
- Re: [tor-talk] Help testing patch on SandyBridge/IvyBridge? Force disable use of RDRAND in OpenSSL when HardwareAccel is enabled
  - From: coderman
- Re: [tor-talk] Help testing patch on SandyBridge/IvyBridge? Force disable use of RDRAND in OpenSSL when HardwareAccel is enabled
  - From: Nick Mathewson

Prev by Author: Re: [tor-talk] Tor 0.2.4.19 is released
Next by Author: Re: [tor-talk] Help testing patch on SandyBridge/IvyBridge? Force disable use of RDRAND in OpenSSL when HardwareAccel is enabled
Previous by thread: Re: [tor-talk] couponcabin access blocked?
Next by thread: Re: [tor-talk] Help testing patch on SandyBridge/IvyBridge? Force disable use of RDRAND in OpenSSL when HardwareAccel is enabled
Index(es):
- Author
- Thread