mirror of
https://gitlab.torproject.org/tpo/core/tor.git
synced 2024-11-27 22:03:31 +01:00
Merge remote-tracking branch 'origin/maint-0.2.4'
Conflicts: src/common/crypto.c
This commit is contained in:
commit
85284c33d1
11
changes/bug10402
Normal file
11
changes/bug10402
Normal file
@ -0,0 +1,11 @@
|
||||
o Major bugfixes:
|
||||
- Do not allow OpenSSL engines to replace the PRNG, even when
|
||||
HardwareAccel is set. The only default builtin PRNG engine uses
|
||||
the Intel RDRAND instruction to replace the entire PRNG, and
|
||||
ignores all attempts to seed it with more entropy. That's
|
||||
cryptographically stupid: the right response to a new alleged
|
||||
entropy source is never to discard all previously used entropy
|
||||
sources. Fixes bug 10402; works around behavior introduced in
|
||||
OpenSSL 1.0.0. Diagnosis and investigation thanks to "coderman"
|
||||
and "rl1987".
|
||||
|
@ -168,8 +168,8 @@ log_engine(const char *fn, ENGINE *e)
|
||||
const char *name, *id;
|
||||
name = ENGINE_get_name(e);
|
||||
id = ENGINE_get_id(e);
|
||||
log_notice(LD_CRYPTO, "Using OpenSSL engine %s [%s] for %s",
|
||||
name?name:"?", id?id:"?", fn);
|
||||
log_notice(LD_CRYPTO, "Default OpenSSL engine for %s is %s [%s]",
|
||||
fn, name?name:"?", id?id:"?");
|
||||
} else {
|
||||
log_info(LD_CRYPTO, "Using default implementation for %s", fn);
|
||||
}
|
||||
@ -314,6 +314,7 @@ crypto_global_init(int useAccel, const char *accelName, const char *accelDir)
|
||||
log_engine("ECDH", ENGINE_get_default_ECDH());
|
||||
log_engine("ECDSA", ENGINE_get_default_ECDSA());
|
||||
log_engine("RAND", ENGINE_get_default_RAND());
|
||||
log_engine("RAND (which we will not use)", ENGINE_get_default_RAND());
|
||||
log_engine("SHA1", ENGINE_get_digest_engine(NID_sha1));
|
||||
log_engine("3DES-CBC", ENGINE_get_cipher_engine(NID_des_ede3_cbc));
|
||||
log_engine("AES-128-ECB", ENGINE_get_cipher_engine(NID_aes_128_ecb));
|
||||
@ -334,6 +335,13 @@ crypto_global_init(int useAccel, const char *accelName, const char *accelDir)
|
||||
log_info(LD_CRYPTO, "NOT using OpenSSL engine support.");
|
||||
}
|
||||
|
||||
if (RAND_get_rand_method() != RAND_SSLeay()) {
|
||||
log_notice(LD_CRYPTO, "It appears that one of our engines has provided "
|
||||
"a replacement the OpenSSL RNG. Resetting it to the default "
|
||||
"implementation.");
|
||||
RAND_set_rand_method(RAND_SSLeay());
|
||||
}
|
||||
|
||||
evaluate_evp_for_aes(-1);
|
||||
evaluate_ctr_for_aes();
|
||||
|
||||
|
Loading…
Reference in New Issue
Block a user