From 581f9539a39bb85db955562b205a4d9faa6556fb Mon Sep 17 00:00:00 2001
From: hniksic <devnull@localhost>
Date: Tue, 18 Nov 2003 14:28:01 -0800
Subject: [PATCH] [svn] Warn the user when using weak random seed.

---
 src/ChangeLog     |  5 +++++
 src/gen_sslfunc.c | 14 ++++++++------
 2 files changed, 13 insertions(+), 6 deletions(-)

diff --git a/src/ChangeLog b/src/ChangeLog
index a5f15ff9..6b39e88f 100644
--- a/src/ChangeLog
+++ b/src/ChangeLog
@@ -1,3 +1,8 @@
+2003-11-18  Hrvoje Niksic  <hniksic@xemacs.org>
+
+	* gen_sslfunc.c (ssl_init_prng): Warn the user when using a weak
+	random seed.
+
 2003-11-18  Hrvoje Niksic  <hniksic@xemacs.org>
 
 	* host.c (address_list_contains): Renamed address_list_find to
diff --git a/src/gen_sslfunc.c b/src/gen_sslfunc.c
index 8f6058a6..c21e1679 100644
--- a/src/gen_sslfunc.c
+++ b/src/gen_sslfunc.c
@@ -98,12 +98,14 @@ ssl_init_prng (void)
     return;
 #endif
 
-  /* Still not enough randomness, presumably because neither random
-     file nor EGD have been available.  Use the stupidest possible
-     method -- seed OpenSSL's PRNG with the system's PRNG.  This is
-     insecure in the cryptographic sense, but people who care about
-     security will use /dev/random or their own source of randomness
-     anyway.  */
+  /* Still not enough randomness, most likely because neither
+     /dev/random nor EGD were available.  Resort to a simple and
+     stupid method -- seed OpenSSL's PRNG with libc PRNG.  This is
+     cryptographically weak, but people who care about strong
+     cryptography should install /dev/random (default on Linux) or
+     specify their own source of randomness anyway.  */
+
+  logprintf (LOG_VERBOSE, _("Warning: using a weak random seed.\n"));
 
   while (RAND_status () == 0 && maxrand-- > 0)
     {