Using RAND_status()

[Steffen Nurpmeso]

Tomas Mraz wrote in
 <a73ba399390924cb0249146723d43babf485674d.camel at openssl.org>:

(Resorting a bit)

 |On Wed, 2023-02-15 at 12:00 +0800, Jayme Mikko Ancla wrote:
 |> I would like to know if my use of RAND_status() like below is
 |> correct:
 ...
 |>   if (RAND_status() != 1) {
 |>     RAND_seed(rnd_seed, sizeof rnd_seed);
 |>   }
 ...
 |I assume you're getting a failure. If so, it is because you did 
 |not load the default provider in addition to the legacy one.
 |
 |Otherwise your code is OK, although these days the RAND_seed() call

Has this changed again?  I am now forced to set

  (void)RAND_DRBG_set_reseed_defaults(0, 0, 0, 0); /* (does not fail here) */

and especially i call anything in a loop as in

  # if mx_HAVE_TLS != mx_TLS_IMPL_RESSL && !defined mx_XTLS_HAVE_RAND_FILE
           n_err(_("TLS RAND_bytes(3ssl) failed (missing entropy?), "
              "waiting a bit\n"));
           /* Around ~Y2K+1 anything <= was a busy loop iirc, so give pad */
           su_time_msleep(250, FAL0);
           continue;
  # endif

 |should not be needed at all, the RNG should be seeded by itself unless
 |there is something wrong with your build configuration of the OpenSSL
 |or your OS is some awkward legacy one.

Ah the OS!  "32 byte is enough"(, endlessly), said Jason Donenfeld.
(Reseeded often, and pretty "nifty", imho.  Once i looked.)

--steffen
|
|Der Kragenbaer,                The moon bear,
|der holt sich munter           he cheerfully and one by one
|einen nach dem anderen runter  wa.ks himself off
|(By Robert Gernhardt)