Bugtraq mailing list archives
qmail starttls patch does not seed the random number generator
From: Felix von Leitner <felix-qmail () fefe de>
Date: Wed, 15 Aug 2001 02:57:36 +0200
openssl-0.9.6b does not allow ssl/tls connections when the random number has not been seeded. This is a good idea, and it exposes that the starttls patch for qmail does not seed the random number generator. Here is a small patch that fixes the problem in qmail-remote for systems that support /dev/urandom (the same can be done for qmail-smtpd but I can't test it right now). Not seeding the random number generator is a serious bug and it completely compromises the cryptographic privacy of TLS encrypted emails. Felix --- qmail-1.03/qmail-remote.c Wed Aug 15 02:52:23 2001 +++ qmail-1.03-diet/qmail-remote.c Wed Aug 15 02:43:07 2001 @@ -431,6 +431,13 @@ SSL_set_fd(ssl,smtpfd); alarm(timeout); + { + int randfd=open_read("/dev/urandom"); + char buf[64]; + int len=read(randfd,buf,64); + close(randfd); + if (len>32) RAND_seed(buf,len); + } r = SSL_connect(ssl); saveerrno = errno; alarm(0); if (flagtimedout)
Current thread:
- qmail starttls patch does not seed the random number generator Felix von Leitner (Aug 15)
- Re: qmail starttls patch does not seed the random number generator Wojciech Purczynski (Aug 15)
- Re: qmail starttls patch does not seed the random number generator Jack Lloyd (Aug 15)
- Re: qmail starttls patch does not seed the random number generator Scott Renfro (Aug 16)
- Re: qmail starttls patch does not seed the random number generator D. J. Bernstein (Aug 19)
- Re: qmail starttls patch does not seed the random number generator Jack Lloyd (Aug 15)
- Re: qmail starttls patch does not seed the random number generator Brian Hatch (Aug 15)
- Re: qmail starttls patch does not seed the random number generator Frederik Vermeulen (Aug 16)
- Re: qmail starttls patch does not seed the random number generator Wojciech Purczynski (Aug 15)