https_init: result from `RAND_load_file` is unchecked
Opened this issue · 0 comments
ngie-eign commented
In the event the PRNG hasn't been sufficiently seeded and $RANDFILE points to an invalid file (for instance), any failure that occurs on line 405 in https_init will be ignored.
The call should be checked to ensure that the PRNG is indeed properly seeded by duo_unix -- otherwise crypto guarantees could be invalidated by the weakness.
Reported by Coverity.
Line 405 in 5ca4f5a