Harakiri wrote: > i've not digged through the whole openssl source yet - but it > seems to me that the recent Debian > Issue with the ssleay_rand_add method here > http://svn.debian.org/viewsvn/pkg-openssl/openssl/trunk/rand/md_ra > nd.c?rev=141&view=diff&r1=141&r2=140&p1=openssl/trunk/rand/md_rand > .c&p2=/openssl/trunk/rand/md_rand.c > > does not affect the command line tool when called with > > openssl req -config $MY_CONFIG -noout -x509 -newkey rsa:$MY_KEY_LENGTH > (in contrast to openssl genrsa) > where in $CONFIG *no* RANDFILE is defined. > > AFAIK the method in question is never called from the request > command line utility. And by default > - the /root/.rnd or $HOME/.rnd file is always used if no RANDFILE > is given.
It seems that in this case, the modified method is never called. The random data comes from /dev/urandom and/or ~/.rnd. The only possible problem I can think of is if the data in ~/.rnd traced to output from a buggy RNG, possibly from previous invocations of the buggy OpenSSL. DS PS: There are so many things wrong with that commit, it's almost hard to list them all. Did anyone even notice that half of that commit has no effect unless 'PURIFY' is defined, and it obviously wasn't tested with 'PURIFY' defined because it wouldn't even compile. ______________________________________________________________________ OpenSSL Project http://www.openssl.org User Support Mailing List openssl-users@openssl.org Automated List Manager [EMAIL PROTECTED]
