From 7b87003957530427eadce36ed03b4645b481a335 Mon Sep 17 00:00:00 2001
From: Nick Mathewson <nickm@torproject.org>
Date: Wed, 18 Dec 2013 11:49:44 -0500
Subject: Never allow OpenSSL engines to replace the RAND_SSLeay method

This fixes bug 10402, where the rdrand engine would use the rdrand
instruction, not as an additional entropy source, but as a replacement
for the entire userspace PRNG.  That's obviously stupid: even if you
don't think that RDRAND is a likely security risk, the right response
to an alleged new alleged entropy source is never to throw away all
previously used entropy sources.

Thanks to coderman and rl1987 for diagnosing and tracking this down.
---
 changes/bug10402 | 11 +++++++++++
 1 file changed, 11 insertions(+)
 create mode 100644 changes/bug10402

(limited to 'changes')

diff --git a/changes/bug10402 b/changes/bug10402
new file mode 100644
index 000000000..eac00bdc6
--- /dev/null
+++ b/changes/bug10402
@@ -0,0 +1,11 @@
+  o Major bugfixes:
+    - Do not allow OpenSSL engines to replace the PRNG, even when
+      HardwareAccel is set. The only default builtin PRNG engine uses
+      the Intel RDRAND instruction to replace the entire PRNG, and
+      ignores all attempts to seed it with more entropy. That's
+      cryptographically stupid: the right response to a new alleged
+      entropy source is never to discard all previously used entropy
+      sources. Fixes bug 10402; works around behavior introduced in
+      OpenSSL 1.0.0. Diagnosis and investigation thanks to "coderman"
+      and "rl1987".
+
-- 
cgit v1.2.3