Package: openssl Version: 1.0.1e-4 Severity: normal Tags: patch User: [email protected] Usertags: origin-ubuntu trusty ubuntu-patch
*** /tmp/tmpVmJEAg/bug_body OpenSSL uses rdrand exclusively if it is available. http://seclists.org/fulldisclosure/2013/Dec/99 http://wiki.openssl.org/index.php/Library_Initialization#ENGINEs_and_RDRAND Upstream has changed this behaviour. In Ubuntu, the attached patch was applied to achieve the following: * debian/patches/no_default_rdrand.patch: Don't use rdrand engine as default unless explicitly requested. Thanks for considering the patch. -- System Information: Debian Release: wheezy/sid APT prefers saucy-updates APT policy: (500, 'saucy-updates'), (500, 'saucy-security'), (500, 'saucy-proposed'), (500, 'saucy'), (100, 'saucy-backports') Architecture: amd64 (x86_64) Foreign Architectures: i386 Kernel: Linux 3.11.0-15-generic (SMP w/4 CPU cores) Locale: LANG=en_CA.UTF-8, LC_CTYPE=en_CA.UTF-8 (charmap=UTF-8) Shell: /bin/sh linked to /bin/dash
diff -Nru openssl-1.0.1e/debian/changelog openssl-1.0.1e/debian/changelog diff -Nru openssl-1.0.1e/debian/patches/no_default_rdrand.patch openssl-1.0.1e/debian/patches/no_default_rdrand.patch --- openssl-1.0.1e/debian/patches/no_default_rdrand.patch 1969-12-31 19:00:00.000000000 -0500 +++ openssl-1.0.1e/debian/patches/no_default_rdrand.patch 2013-12-19 15:39:17.000000000 -0500 @@ -0,0 +1,25 @@ +From 8f68678989a198ead3ab59a698302ecb0f1c8fb1 Mon Sep 17 00:00:00 2001 +From: "Dr. Stephen Henson" <[email protected]> +Date: Wed, 11 Dec 2013 14:45:12 +0000 +Subject: [PATCH] Don't use rdrand engine as default unless explicitly + requested. + +--- + crypto/engine/eng_rdrand.c | 1 + + 1 file changed, 1 insertion(+) + +diff --git a/crypto/engine/eng_rdrand.c b/crypto/engine/eng_rdrand.c +index a9ba5ae..4e9e91d 100644 +--- a/crypto/engine/eng_rdrand.c ++++ b/crypto/engine/eng_rdrand.c +@@ -104,6 +104,7 @@ static int bind_helper(ENGINE *e) + { + if (!ENGINE_set_id(e, engine_e_rdrand_id) || + !ENGINE_set_name(e, engine_e_rdrand_name) || ++ !ENGINE_set_flags(e, ENGINE_FLAGS_NO_REGISTER_ALL) || + !ENGINE_set_init_function(e, rdrand_init) || + !ENGINE_set_RAND(e, &rdrand_meth) ) + return 0; +-- +1.7.9.5 + diff -Nru openssl-1.0.1e/debian/patches/series openssl-1.0.1e/debian/patches/series --- openssl-1.0.1e/debian/patches/series 2013-12-04 12:34:19.000000000 -0500 +++ openssl-1.0.1e/debian/patches/series 2013-12-19 15:39:17.000000000 -0500 @@ -43,3 +43,4 @@ arm64-support openssl-1.0.1e-env-zlib.patch -p1 ppc64-support +no_default_rdrand.patch
