wasn't going to get into this but!2 comments from my OLD security manual
since this seems to be 'running'.
1- This program does not take any steps to initialize the entropy pool.
OpenSSL uses the system-provided /dev/[u]random as the source of
randomness. OpenSSL should report an error on systems that do not
provide the /dev/random device. If you are sure that your system does
not support these devices (most notably, WIN32 systems) and the program
does not report an error then do not use it if The program will crash if
n is too big. No checks are made for the internal buffer sizes. However,
since this program is intended to be used by humans who must memorize
their passphrases, this is not an issue. The program works correctly for
"reasonable" sizes of n (e.g. less than 256).
BSD April 4, 2005 BSD you want really secure and unguessable passwords.
There are many real-life examples where the system security was
compromised because of poor random number generators.
2- The program will crash if n is too big. No checks are made for the
internal buffer sizes. However, since this program is intended to be
used by humans who must memorize their passphrases, this is not an
issue. The program works correctly for "reasonable" sizes of n (e.g.
less than 256).
Source:- BSD Manual April 4, 2005
_______________________________________________
Toybox mailing list
[email protected]
http://lists.landley.net/listinfo.cgi/toybox-landley.net
