Home Explore Help
Sign In
piros
/
tor
3
0
Fork 0
Files Issues 0 Pull Requests 0 Wiki
Browse Source

Merge remote-tracking branch 'origin/maint-0.2.4'

Conflicts:
	src/common/crypto.c
Nick Mathewson 12 years ago
parent
f12d3fe9aa dabdc339fe
commit
85284c33d1
2 changed files with 21 additions and 2 deletions
Split View Show Diff Stats
  1. 11 0
      changes/bug10402
  2. 10 2
      src/common/crypto.c

+ 11 - 0
changes/bug10402
View File 

@@ -0,0 +1,11 @@
 
+  o Major bugfixes:
 
+    - Do not allow OpenSSL engines to replace the PRNG, even when
 
+      HardwareAccel is set. The only default builtin PRNG engine uses
 
+      the Intel RDRAND instruction to replace the entire PRNG, and
 
+      ignores all attempts to seed it with more entropy. That's
 
+      cryptographically stupid: the right response to a new alleged
 
+      entropy source is never to discard all previously used entropy
 
+      sources. Fixes bug 10402; works around behavior introduced in
 
+      OpenSSL 1.0.0. Diagnosis and investigation thanks to "coderman"
 
+      and "rl1987".
 
+

+ 10 - 2
src/common/crypto.c
View File 

@@ -168,8 +168,8 @@ log_engine(const char *fn, ENGINE *e)
 
     const char *name, *id;
 
     name = ENGINE_get_name(e);
 
     id = ENGINE_get_id(e);
 
-    log_notice(LD_CRYPTO, "Using OpenSSL engine %s [%s] for %s",
 
-        name?name:"?", id?id:"?", fn);
 
+    log_notice(LD_CRYPTO, "Default OpenSSL engine for %s is %s [%s]",
 
+               fn, name?name:"?", id?id:"?");
 
   } else {
 
     log_info(LD_CRYPTO, "Using default implementation for %s", fn);
 
   }
 
@@ -314,6 +314,7 @@ crypto_global_init(int useAccel, const char *accelName, const char *accelDir)
 
       log_engine("ECDH", ENGINE_get_default_ECDH());
 
       log_engine("ECDSA", ENGINE_get_default_ECDSA());
 
       log_engine("RAND", ENGINE_get_default_RAND());
 
+      log_engine("RAND (which we will not use)", ENGINE_get_default_RAND());
 
       log_engine("SHA1", ENGINE_get_digest_engine(NID_sha1));
 
       log_engine("3DES-CBC", ENGINE_get_cipher_engine(NID_des_ede3_cbc));
 
       log_engine("AES-128-ECB", ENGINE_get_cipher_engine(NID_aes_128_ecb));
 
@@ -334,6 +335,13 @@ crypto_global_init(int useAccel, const char *accelName, const char *accelDir)
 
       log_info(LD_CRYPTO, "NOT using OpenSSL engine support.");
 
     }
 
 
+    if (RAND_get_rand_method() != RAND_SSLeay()) {
 
+      log_notice(LD_CRYPTO, "It appears that one of our engines has provided "
 
+                 "a replacement the OpenSSL RNG. Resetting it to the default "
 
+                 "implementation.");
 
+      RAND_set_rand_method(RAND_SSLeay());
 
+    }
 
+
 
     evaluate_evp_for_aes(-1);
 
     evaluate_ctr_for_aes();