[openssl-dev] Plea for a new public OpenSSL RNG API
Blumenthal, Uri - 0553 - MITLL
uri at ll.mit.edu
Tue Aug 29 19:04:53 UTC 2017
IMHO this interface is a way for the user to improve the quality of the randomness it would get from the given RNG, *not* to replace (or diminish) its other sources. My proposal is to abolish this parameter, especially since now it is simply ignored (and IMHO – for a good reason).
That's a fine proposal ... it just can't be implemented until a major release boundary, when our ABI stability policy permits such breaking changes.
And that is fine. The sooner the better, but ABI stability makes sense too.
My main point is: RAND_add() and whatever similar in purpose interface calls we may define in the future should exhibit the following behavior:
Mix the provided randomness into the RNG state *immediately*, and
Keep pulling other sources and mixing them into the state – don’t subtract from the “needed entropy” count the amount you presumably got from the user.
Frankly, the need to provide double entropy argument doesn’t bother me all that much – especially if the value 0 is accepted there. ;-)
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://mta.openssl.org/pipermail/openssl-dev/attachments/20170829/9d1c6acf/attachment-0001.html>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/pkcs7-signature
Size: 5211 bytes
Desc: not available
URL: <http://mta.openssl.org/pipermail/openssl-dev/attachments/20170829/9d1c6acf/attachment-0001.bin>
More information about the openssl-dev
mailing list