[openssl-dev] Improving OpenSSL default RNG
Dmitry Belyavsky
beldmit at gmail.com
Fri Oct 23 14:40:29 UTC 2015
Hello Alexander,
On Fri, Oct 23, 2015 at 4:22 PM, Alessandro Ghedini <alessandro at ghedini.me>
wrote:
> So, any thought? If there's interest in this, I can look into investigating
> these things more in detail and propose possible patches.
>
>
In Russia we have to certify the RNG hardware and software for using in
organizations where the certified products are required.
Currently we are able to implement custom RAND_METHODs and provide it via
engines. So if the hardware is unavailable, the RAND_bytes() call fails.
In the 1.0.* versions of the OpenSSL library not all calls to RAND*
functions were checked for success, and it caused some problems.
LibreSSL treats their RNG functions as never-failed, and I do not know
about BoringSSL.
So we need non-void RAND API and possibility to provide our own
RAND_METHODs. If the current code is to be refactored, I ask to leave these
options possible.
--
SY, Dmitry Belyavsky
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://mta.openssl.org/pipermail/openssl-dev/attachments/20151023/f652235d/attachment.html>
More information about the openssl-dev
mailing list