[Author Prev][Author Next][Thread Prev][Thread Next][Author Index][Thread Index]

Re: [tor-bugs] #10402 [Tor]: Force disable use of RDRAND in OpenSSL when HardwareAccel is enabled

#10402: Force disable use of RDRAND in OpenSSL when HardwareAccel is enabled
------------------------+-----------------
     Reporter:  anon    |      Owner:
         Type:  defect  |     Status:  new
     Priority:  major   |  Milestone:
    Component:  Tor     |    Version:
   Resolution:          |   Keywords:
Actual Points:          |  Parent ID:
       Points:          |
------------------------+-----------------

Comment (by anon):

 Patches updated:
 âhttps://peertech.org/dist/tor-0.2.4.19-rdrand-disable.patch
 âhttps://peertech.org/dist/tor-0.2.5.1-rdrand-disable.patch
 âhttps://peertech.org/dist/tor-latest-rdrand-disable.patch

 The diff should look like:
 {{{
       /* If we are using a version of OpenSSL that supports native RDRAND
          make sure that we force disable its use as sole entropy source.
          See https://trac.torproject.org/projects/tor/ticket/10402 */
       if (SSLeay() > OPENSSL_V_SERIES(1,0,0)) {
         t = ENGINE_get_default_RAND();
         if (t &&
             (strcmp(ENGINE_get_id(t), "rdrand") == 0)) {
           log_warn(LD_CRYPTO, "OpenSSL is using RDRAND by default."
                    " Attempting to force disable.");
           ENGINE_unregister_RAND(t);
           ENGINE_register_all_complete();
         }
       }
       /* Log, if available, the intersection of the set of algorithms
          used by Tor and the set of algorithms available in the engine */
       log_engine("RSA", ENGINE_get_default_RSA());
  .
  .
 }}}

 And should result in a log like:
 {{{
 Dec ... [warn] OpenSSL is using RDRAND by default. Attempting to force
 disable.
 Dec ... [notice] Using OpenSSL engine RSAX engine support [rsax] for RSA
 Dec ... [notice] Using default implementation for RAND
  .
  .
 }}}

 What you should NOT see is this line: "[notice] Using OpenSSL engine Intel
 RDRAND engine [rdrand] for RAND" which is synonymous with EPICFAIL. *grin*

--
Ticket URL: <https://trac.torproject.org/projects/tor/ticket/10402#comment:4>
Tor Bug Tracker & Wiki <https://trac.torproject.org/>
The Tor Project: anonymity online
_______________________________________________
tor-bugs mailing list
tor-bugs@xxxxxxxxxxxxxxxxxxxx
https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-bugs