From: hniksic <devnull@localhost>
Date: Tue, 18 Nov 2003 22:28:01 +0000 (-0800)
Subject: [svn] Warn the user when using weak random seed.
X-Git-Tag: v1.13~1377
X-Git-Url: http://sjero.net/git/?p=wget;a=commitdiff_plain;h=581f9539a39bb85db955562b205a4d9faa6556fb

[svn] Warn the user when using weak random seed.
---

diff --git a/src/ChangeLog b/src/ChangeLog
index a5f15ff9..6b39e88f 100644
--- a/src/ChangeLog
+++ b/src/ChangeLog
@@ -1,3 +1,8 @@
+2003-11-18  Hrvoje Niksic  <hniksic@xemacs.org>
+
+	* gen_sslfunc.c (ssl_init_prng): Warn the user when using a weak
+	random seed.
+
 2003-11-18  Hrvoje Niksic  <hniksic@xemacs.org>
 
 	* host.c (address_list_contains): Renamed address_list_find to
diff --git a/src/gen_sslfunc.c b/src/gen_sslfunc.c
index 8f6058a6..c21e1679 100644
--- a/src/gen_sslfunc.c
+++ b/src/gen_sslfunc.c
@@ -98,12 +98,14 @@ ssl_init_prng (void)
     return;
 #endif
 
-  /* Still not enough randomness, presumably because neither random
-     file nor EGD have been available.  Use the stupidest possible
-     method -- seed OpenSSL's PRNG with the system's PRNG.  This is
-     insecure in the cryptographic sense, but people who care about
-     security will use /dev/random or their own source of randomness
-     anyway.  */
+  /* Still not enough randomness, most likely because neither
+     /dev/random nor EGD were available.  Resort to a simple and
+     stupid method -- seed OpenSSL's PRNG with libc PRNG.  This is
+     cryptographically weak, but people who care about strong
+     cryptography should install /dev/random (default on Linux) or
+     specify their own source of randomness anyway.  */
+
+  logprintf (LOG_VERBOSE, _("Warning: using a weak random seed.\n"));
 
   while (RAND_status () == 0 && maxrand-- > 0)
     {