RAND_DRBG

Tomas Mraz tm at t8m.info
Mon Jul 27 05:50:57 UTC 2020 

+1 for the removal

⁣Tomáš​

27. 7. 2020 4:58, 4:58, SHANE LONTIS <shane.lontis at oracle.com> napsal/a:
>
>i.e.  Choose option (1)
>
>> On 27 Jul 2020, at 11:14 am, SHANE LONTIS <shane.lontis at oracle.com>
>wrote:
>> 
>> If this is not going to break 99% of users + it improves the
>interface + the replacement to achieve the same is a few lines of code
>and is likely to occur in one place in an app, then it seems reasonable
>to change it to me.
>> 
>> 
>>> On 27 Jul 2020, at 11:08 am, Dr Paul Dale <paul.dale at oracle.com
><mailto:paul.dale at oracle.com>> wrote:
>>> 
>>> The RAND_DRBG (crypto/rand/drbg_lib) APIs are quite some mess and
>sit badly with the move to provider based infrastructure.
>>> They are definitely being deprecated in master but without more, the
>extra layer of indirection and additional complexity generating random
>numbers will remain.
>>> 
>>> The option I see are:
>>> 
>>> 1. Remove, rather than deprecate, RAND_DRBG in 3.0.  This is a
>breaking change.
>>> 2. Bypass RAND_DRBG and live with a breaking change (refer:
>https://github.com/openssl/openssl/pull/12509#pullrequestreview-455396828
><https://urldefense.com/v3/__https://github.com/openssl/openssl/pull/12509*pullrequestreview-455396828__;Iw!!GqivPVa7Brio!P_SYCN9POdf1ZT1I7v4h9G_oUTuels90DxKk1JmFkD7HcXsTPr9n0s3FX3XZZo_c2Q$>)
>>> 3. Leave things as they currently are in master.
>>> 
>>> The first two are breaking changes and will require an OMC vote.
>>> 
>>> 
>>> Some pertinent points:
>>> 
>>> 1. RAND_bytes will continue to work as is — this API is perfect for
>almost everyone.
>>> 2. The RAND_METHOD functionality remains — this allows wholesale
>replacement of OpenSSL’s RNGs if desired.
>>> 3. The name EVP_RAND is the working name and might change — this is
>not relevant to this discussion.
>>> 4. The RAND_DRBG APIs are unlikely to be widely used — they were
>introduced in 1.1.1.  The two users I know of (Akamai and NCP) are both
>fine with them being removed.
>>> 
>>> 
>>> Thoughts anyone?
>>> 
>>> 
>>> Pauli
>>> -- 
>>> Dr Paul Dale | Distinguished Architect | Cryptographic Foundations 
>>> Phone +61 7 3031 7217
>>> Oracle Australia
>>> 
>>

More information about the openssl-project mailing list