qmail starttls patch does not seed the random number generator

From: Felix von Leitner (felix-qmailat_private)
Date: Tue Aug 14 2001 - 17:57:36 PDT

  • Next message: john.leitchat_private: "webridge application suite gives up too much error information on Internal Server Error" 

    openssl-0.9.6b does not allow ssl/tls connections when the random number
has not been seeded.  This is a good idea, and it exposes that the
starttls patch for qmail does not seed the random number generator.

Here is a small patch that fixes the problem in qmail-remote for systems
that support /dev/urandom (the same can be done for qmail-smtpd but I
can't test it right now).  Not seeding the random number generator is a
serious bug and it completely compromises the cryptographic privacy of
TLS encrypted emails.

Felix

--- qmail-1.03/qmail-remote.c	Wed Aug 15 02:52:23 2001
+++ qmail-1.03-diet/qmail-remote.c	Wed Aug 15 02:43:07 2001
@@ -431,6 +431,13 @@
       SSL_set_fd(ssl,smtpfd);
 
       alarm(timeout);
+      {
+	int randfd=open_read("/dev/urandom");
+	char buf[64];
+	int len=read(randfd,buf,64);
+	close(randfd);
+	if (len>32) RAND_seed(buf,len);
+      }
       r = SSL_connect(ssl); saveerrno = errno;
       alarm(0); 
       if (flagtimedout)

    This archive was generated by hypermail 2b30 : Wed Aug 15 2001 - 07:44:45 PDT