Full Disclosure mailing list archives
Re: RDRAND used directly when default engines loaded in openssl-1.0.1-beta1 through openssl-1.0.1e
From: coderman <coderman () gmail com>
Date: Fri, 20 Dec 2013 04:32:33 -0800
On Mon, Dec 16, 2013 at 7:27 PM, coderman <coderman () gmail com> wrote:
... "what is affected??"
fortunately impacts are less than anticipated! nickm devised most concise fix: RAND_set_rand_method(RAND_SSLeay()); always after ENGINE_load_builtin_engines(). https://gitweb.torproject.org/tor.git/commitdiff/7b87003957530427eadce36ed03b4645b481a335 --- full write up is here including a BADRAND engine patch for testing: https://peertech.org/goodrand --- last but not least, notable omissions on NSA role in reqs for random number sources in Appendix E: US Government Role in Current Encryption Standards.: http://cryptome.org/2013/12/nsa-usg-crypto-role.pdf can we get a do-over? _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Current thread:
- RDRAND used directly when default engines loaded in openssl-1.0.1-beta1 through openssl-1.0.1e coderman (Dec 14)
- Message not available
- Re: RDRAND used directly when default engines loaded in openssl-1.0.1-beta1 through openssl-1.0.1e coderman (Dec 14)
- Re: RDRAND used directly when default engines loaded in openssl-1.0.1-beta1 through openssl-1.0.1e coderman (Dec 16)
- Re: RDRAND used directly when default engines loaded in openssl-1.0.1-beta1 through openssl-1.0.1e coderman (Dec 20)