25 Mar
2006
25 Mar
'06
9:26 a.m.
On Fri, 2006-03-17 at 17:28 +0100, Vilmos Nebehaj wrote:
Hi,
dovecot tries to use OpenSSL's PRNG to generate random numbers if there is no /dev/urandom found. Unfortunately, it is flawed in its
present form, since the PRNG is not seeded before RAND_bytes() is called in src/lib/randgen.c (on systems which have /dev/urandom, OpenSSL automatically seeds its PRNG from the urandom device).Here's a patch to address this issue: it tries to seed the PRNG if there is no /dev/urandom present (which is likely the case if dovecot uses OpenSSL's RAND API). It can also be fetched from
Thanks, committed to CVS. I did a couple of minor changes to make it consistent with Dovecot's coding style.