Re: RNG behavior by default

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



Dr. Matthias St. Pierre wrote in <b89b48fce6b54eadaba632402d789ee9@Ex13.\
ncp.local>:
 |I agree with Kurt, except for one point:
 |
 |> The RAND_bytes and RAND_status manpages can clearly be improved.
 |
 |Both manpages got an update during the DRBG rewrite (by me) and I don't
 |see any contradiction. You bring it to the point yourself:

I had a superficial look yesterday, but i think i have to reread
them in total, anyway.

 |> So _IF_ it is seeded it is seeded...
 |
 |It is true that the DRBG will automatically seed, but it is equally true
 |that it can still end up in an unseeded (error) state, if no suitable \
 |entropy
 |source is available. And since this can also happen during reseeding (which
 |in particular is enforced after a fork), it is always necessary to \
 |check the return
 |value of the RAND_bytes() function. Because in the error state, the \
 |buffer is not
 |filled at all.

That is really bad.  Of course you had to do it like this, and you
surely have looked around to see what servers and other software
which use OpenSSL do with the PRNG after forking (i.e., whether
they reiterate the [RAND_file_name(),] RAND_load_file(),
[:[RAND_add(),] RAND_status()], [RAND_write_file()] dance as
documented, or not).

I think i will move away from RAND_ then, nonetheless, and at
least for the things i have control of.
But i will definitely reread the manual now.

Thanks for your answer.
Ciao and a nice weekend from Germany,

--steffen
|
|Der Kragenbaer,                The moon bear,
|der holt sich munter           he cheerfully and one by one
|einen nach dem anderen runter  wa.ks himself off
|(By Robert Gernhardt)
-- 
openssl-users mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users



[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

[Index of Archives]     [Linux ARM Kernel]     [Linux ARM]     [Linux Omap]     [Fedora ARM]     [IETF Annouce]     [Security]     [Bugtraq]     [Linux]     [Linux OMAP]     [Linux MIPS]     [ECOS]     [Asterisk Internet PBX]     [Linux API]

  Powered by Linux