> Thanks for your response.
> Here is how i use RAND_seed in my client :
>
> while (RAND_status() == 0) {
> int rnd = rand();
> RAND_seed(&rnd, sizeof(rnd));
> }
Ungh.
Now you're seeding your random number generator with... a
random number generator. And I bet you never called srand()
which is needed to seed it, which means you're always getting
the same random numbers. And if you did seed it, did you seed
it with something random? And even if you did, it's no use,
because there are only (unsigned int) possible seeds to srand,
so there are only that many possible random strings you could
be getting so you can only be seeding the OpenSSL PRNG with
that many possible inputs. You're still way low on entropy.
from "man rand"
DESCRIPTION
The rand() function returns a pseudo-random integer
between 0 and RAND_MAX.
The srand() function sets its argument as the seed for a
new sequence of pseudo-random integers to be returned by
rand(). These sequences are repeatable by calling srand()
with the same seed value.
If no seed value is provided, the rand() function is auto
matically seeded with a value of 1.
...
So I'd *SERIOUSLY* consider some better random sources.
> Now Serverhello and certificate is accepted but when
> the client tries to generate a RSA key, the control
> does not seem to be coming out of while (*p == '\0')
> in rsa_pk1.c (code below)as buffer is all initilized
> to '\0'.I dont see any data in p being filled when
> RAND_bytes(p,j) is called.
So your code tries to make j bytes of non \0 chars in p,
yes? Seems to work for me, actually. I just copy/pasted
it and slapped a for loop to print at the end and it
worked fine.
--
Brian Hatch C:\WINDOWS
Systems and C:\WINDOWS\GO
Security Engineer C:\PC\CRAWL
http://www.ifokr.org/bri/
Every message PGP signed
pgp00000.pgp
Description: PGP signature
