[svn] Warn the user when using weak random seed.

2024-07-03 16:38:41 -04:00 · 2003-11-18 14:28:01 -08:00 · 2003-11-18 14:28:01 -08:00 · 581f9539a3
commit 581f9539a3
parent 0fb0ee87c7
2 changed files with 13 additions and 6 deletions
--- a/src/ChangeLog
+++ b/src/ChangeLog
@ -1,3 +1,8 @@
+2003-11-18  Hrvoje Niksic  <hniksic@xemacs.org>
+
+	* gen_sslfunc.c (ssl_init_prng): Warn the user when using a weak
+	random seed.
+
 2003-11-18  Hrvoje Niksic  <hniksic@xemacs.org>

 	* host.c (address_list_contains): Renamed address_list_find to
--- a/src/gen_sslfunc.c
+++ b/src/gen_sslfunc.c
@ -98,12 +98,14 @@ ssl_init_prng (void)
    return;
 #endif

-  /* Still not enough randomness, presumably because neither random
-     file nor EGD have been available.  Use the stupidest possible
-     method -- seed OpenSSL's PRNG with the system's PRNG.  This is
-     insecure in the cryptographic sense, but people who care about
-     security will use /dev/random or their own source of randomness
-     anyway.  */
+  /* Still not enough randomness, most likely because neither
+     /dev/random nor EGD were available.  Resort to a simple and
+     stupid method -- seed OpenSSL's PRNG with libc PRNG.  This is
+     cryptographically weak, but people who care about strong
+     cryptography should install /dev/random (default on Linux) or
+     specify their own source of randomness anyway.  */
+
+  logprintf (LOG_VERBOSE, _("Warning: using a weak random seed.\n"));

  while (RAND_status () == 0 && maxrand-- > 0)
    {