From: Mark Jorgen Olesen <[EMAIL PROTECTED]>
mjo4> Module:
mjo4> md_rand.c
mjo4>
mjo4> Function:
mjo4> static int ssleay_rand_bytes(unsigned char *buf, int num)
mjo4>
mjo4> Synopsis:
mjo4> The function always fails when entropy < ENTROPY_NEEDED
mjo4>
mjo4> Description:
mjo4> The variable "ok" is set as follows:
mjo4>
mjo4> ok = (entropy >= ENTROPY_NEEDED)
mjo4>
mjo4> When I was tracing the code, "ok" was set to 0. It then
mjo4> proceeded through the rest of the code such as completing the
mjo4> entire for loop. However, on completion with no errors, the
mjo4> function failed because ok was still 0; "ok" was not reset:
mjo4>
mjo4> if (ok)
mjo4> return(1);
mjo4> else
mjo4> {
mjo4> RANDerr(RAND_F_SSLEAY_RAND_BYTES,RAND_R_PRNG_NOT_SEEDED);
mjo4> return(0);
mjo4> }
Question: what was entropy through that trace? The function *should*
fail when entropy < ENTROPY_NEEDED (the name "ENTROPY_NEEDED" should
be a huge hint that this is desired).
I've seen that you call this a "possible bug". My answer is "nope,
not a bug. It's a feature. A security feature".
--
Richard Levitte \ Spannvägen 38, II \ [EMAIL PROTECTED]
Chairman@Stacken \ S-168 35 BROMMA \ T: +46-8-26 52 47
Redakteur@Stacken \ SWEDEN \ or +46-709-50 36 10
Procurator Odiosus Ex Infernis -- [EMAIL PROTECTED]
Member of the OpenSSL development team: http://www.openssl.org/
Software Engineer, Celo Communications: http://www.celocom.com/
Unsolicited commercial email is subject to an archival fee of $400.
See <http://www.stacken.kth.se/~levitte/mail/> for more info.
______________________________________________________________________
OpenSSL Project http://www.openssl.org
User Support Mailing List [EMAIL PROTECTED]
Automated List Manager [EMAIL PROTECTED]
