On Tue, 17 Apr 2001, [iso-8859-1] Götz Babin-Ebell wrote:
> Andy Brown wrote:
> > I believe I've found a bug with the UNIX command-line "openssl enc"
...
> > This leads me to believe it's an allocation problem.
>
> It is not.
>
> If no IV is set, it is undefined and some random value is used.
> (an uninitialized part of the memory...)
EVP_BytesToKey(,,salt,password,,,,iv) is used to set IV, namely
to derive it from salt and password.
...openssl-0.9.6/apps/enc.c, line 501
Similar technique was specified for PKCS12
> Perhaps it would be better to fill it with random data...
Exellent question!
I'd like to know some background and/or reasoning here.
regards,
Vadim
______________________________________________________________________
OpenSSL Project http://www.openssl.org
Development Mailing List [EMAIL PROTECTED]
Automated List Manager [EMAIL PROTECTED]
