[openssl-dev] Plea for a new public OpenSSL RNG API

Kurt Roeckx kurt at roeckx.be
Tue Aug 29 16:41:26 UTC 2017


On Tue, Aug 29, 2017 at 01:05:21PM +0000, Dr. Matthias St. Pierre wrote:
> 
> Currently it's only possible to customize the callbacks but not the deterministic algorithm. IMHO this is sufficient for the needs of a standard OpenSSL user who only wants control over the entropy source. A true new algorithm (like e.g. CHACHA2_DRBG) should be implemented by experts and added mainstream. So I don't see any advantage of having an engine over using the 'vtable' approach from the FIPS DRBG, which has been removed.

I've been looking at implementing a chacha20 based DRBG, which
isn't that hard. But there are various choices you can make, and
every chacha20 RNG that I've seen seems to take a random set of
those choices. I really wish there was some standardized version.


Kurt



More information about the openssl-dev mailing list