[openssl-project] Next release is beta1

Dr. Matthias St. Pierre Matthias.St.Pierre at ncp-e.com
Mon Mar 5 08:09:55 UTC 2018


Am 04.03.2018 um 17:30 schrieb Kurt Roeckx:
> There is also still work going on related to the DRBG API.

Kurt convinced me that the DRBG backend (the reseeding) needs some
adjustments in order to comply to NIST SP 800-90C. This applies in
particular to the prediction_resistance feature. And there might be more
changes required in the course of the future FIPS evaluation. Since
these questions affect only the FIPS certification, my suggestion is to
postpone major adjustments for NIST SP 800-90C compliance to post-1.1.1
and not start overhauling the DRBG shortly before the code freeze. The
new CSPRNG implentation is already much better than the one we had in
1.1.0, even if it is not fully compliant yet.

The recommendation for postponing changes does not apply to the
following pull requests which are already en queue. In particular it is
reasonable to  have the change of the get_entropy callback signature
(#5402) merged before the freeze.

    https://github.com/openssl/openssl/pull/5402
    https://github.com/openssl/openssl/pull/5503
    https://github.com/openssl/openssl/pull/5506

In view of the above said, I will refrain from publishing (and
documenting) the RAND_POOL API and will only publish the RAND_DRBG API 
(TBD).

    https://github.com/openssl/openssl/pull/5461
    https://github.com/openssl/openssl/pull/5462

Matthias





More information about the openssl-project mailing list