> Thanks for your response. > Here is how i use RAND_seed in my client : > > while (RAND_status() == 0) { > int rnd = rand(); > RAND_seed(&rnd, sizeof(rnd)); > }
Ungh. Now you're seeding your random number generator with... a random number generator. And I bet you never called srand() which is needed to seed it, which means you're always getting the same random numbers. And if you did seed it, did you seed it with something random? And even if you did, it's no use, because there are only (unsigned int) possible seeds to srand, so there are only that many possible random strings you could be getting so you can only be seeding the OpenSSL PRNG with that many possible inputs. You're still way low on entropy. from "man rand" DESCRIPTION The rand() function returns a pseudo-random integer between 0 and RAND_MAX. The srand() function sets its argument as the seed for a new sequence of pseudo-random integers to be returned by rand(). These sequences are repeatable by calling srand() with the same seed value. If no seed value is provided, the rand() function is auto matically seeded with a value of 1. ... So I'd *SERIOUSLY* consider some better random sources. > Now Serverhello and certificate is accepted but when > the client tries to generate a RSA key, the control > does not seem to be coming out of while (*p == '\0') > in rsa_pk1.c (code below)as buffer is all initilized > to '\0'.I dont see any data in p being filled when > RAND_bytes(p,j) is called. So your code tries to make j bytes of non \0 chars in p, yes? Seems to work for me, actually. I just copy/pasted it and slapped a for loop to print at the end and it worked fine. -- Brian Hatch C:\WINDOWS Systems and C:\WINDOWS\GO Security Engineer C:\PC\CRAWL http://www.ifokr.org/bri/ Every message PGP signed
pgp00000.pgp
Description: PGP signature