I found a problem with "openssl smime -rand filename". If I specify a randfile then this file is not updated by apps/smime.c. The program calls app_RAND_write_file with a NULL pointer even if a randfile was specified. The result is that app_RAND_write_file in apps/app_rand.c tries to get a filename via RAND_file_name from crypto/rand/randfile.c. This function checks the environment variables RANDFILE and HOME or falls back to the default position.
The problem is that this is a security issue because the randfile is never updated. We (OpenCA) work on a batch system and for such systems with high volumes of operations such a never changing random can be really critical - or at minimum I believe this today. A fix could look like this:
OLD:
if (need_rand)
app_RAND_write_file(NULL, bio_err);NEW:
if (need_rand)
{
if (inrand != NULL)
app_RAND_write_file(inrand, bio_err);
else
app_RAND_write_file(NULL, bio_err);
}If you agree that this is a bug then I forward it to rt.
Best regards
Michael -- ------------------------------------------------------------------- Michael Bell Email: [EMAIL PROTECTED] ZE Computer- und Medienservice Tel.: +49 (0)30-2093 2482 (Computing Centre) Fax: +49 (0)30-2093 2704 Humboldt-University of Berlin Unter den Linden 6 10099 Berlin Email (private): [EMAIL PROTECTED] Germany http://www.openca.org
______________________________________________________________________ OpenSSL Project http://www.openssl.org Development Mailing List [EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
