[openssl-dev] Work on a new RNG for OpenSSL
Kurt Roeckx
kurt at roeckx.be
Wed Jun 28 17:20:44 UTC 2017
On Wed, Jun 28, 2017 at 12:01:29PM -0500, Benjamin Kaduk via openssl-dev wrote:
>
> I'm not sure what you mean by "draining the kernel's entropy pools".
> That is, if you are adhering to the belief that taking random bits out
> of a generator removes entropy from it that must be replenished, does
> that not apply also to any generator/pool we write for ourselves? Or
> maybe you just refer to the behavior of linux /dev/random, in which case
> I would point out Ted (the author/maintainer of linux /dev/random)'s
> suggestion to just use (getrandom or) /dev/random and tacit agreement
> that the behavior of reducing the entropy count on reads from
> /dev/random is not really needed anymore.
Replace all /dev/random with /dev/urandom.
> At boot time *all* pools are empty. FreeBSD has a random seed file on
> disk to be loaded on next boot that helps with this (I didn't check
> linux),
It depends on the distro, but they should all be doing this. On
systems using systemd that file is probably
/var/lib/systemd/random-seed.
Kurt
More information about the openssl-dev
mailing list