[openssl-dev] Improving OpenSSL default RNG
Alessandro Ghedini
alessandro at ghedini.me
Fri Oct 23 17:07:21 UTC 2015
On Fri, Oct 23, 2015 at 05:40:29PM +0300, Dmitry Belyavsky wrote:
> Hello Alexander,
>
> On Fri, Oct 23, 2015 at 4:22 PM, Alessandro Ghedini <alessandro at ghedini.me>
> wrote:
>
>
> > So, any thought? If there's interest in this, I can look into investigating
> > these things more in detail and propose possible patches.
> >
> >
> In Russia we have to certify the RNG hardware and software for using in
> organizations where the certified products are required.
> Currently we are able to implement custom RAND_METHODs and provide it via
> engines. So if the hardware is unavailable, the RAND_bytes() call fails.
>
> In the 1.0.* versions of the OpenSSL library not all calls to RAND*
> functions were checked for success, and it caused some problems.
> LibreSSL treats their RNG functions as never-failed, and I do not know
> about BoringSSL.
>
> So we need non-void RAND API and possibility to provide our own
> RAND_METHODs. If the current code is to be refactored, I ask to leave these
> options possible.
Yeah, the idea is to keep the current ENGINE API, and only change the default
RAND_METHOD which is returned by RAND_SSLeay(). So if you use any other RNG
this change shouldn't affect you.
Cheers
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 819 bytes
Desc: not available
URL: <http://mta.openssl.org/pipermail/openssl-dev/attachments/20151023/f2fce9e1/attachment-0001.sig>
More information about the openssl-dev
mailing list