[openssl-dev] Work on a new RNG for OpenSSL
Salz, Rich
rsalz at akamai.com
Tue Jun 27 21:02:54 UTC 2017
> > Getrandom() is a syscall, and I have concerns about the syscall
> > performance. I would rather feed getrandom (or /dev/random if that’s
> > not available) into a FIPS DRBG generator.
>
> What is your concerns about syscall performance? What are your
> performance requirements? I can tell you that Chrome has been using
> /dev/urandom
Well, Chrome ultimately works at human-scale. On the server side, thousands of connections per second and one or two syscalls per connection seems like something we should avoid.
> My recommendation for Linux is to use getrandom(2) the flags field set to
> zero.
And for older Linux?
> So if you are going to be trying to design your own RNG
> for OpenSSL --- welcome to my world.
We seem to have moved away from that somewhat. That's a better place to be.
> find that in the end, it's impossible to make them all happy, and they will end
> up questioning your intelligence, judgement, and in some cases, your
> paternity. :-)
I miss Usenet. :)
More information about the openssl-dev
mailing list