On Wed, May 21, 2008 at 3:43 PM, Richard Koenning <[EMAIL PROTECTED]> wrote: > Richard Stoughton wrote: > >> On Tue, May 20, 2008 at 12:09 AM, Bodo Moeller <[EMAIL PROTECTED]> wrote: >> >> As far as I can understand the code, the suggested usage pattern for >> the RNG would be >> >> ssleay_rand_bytes(ssleay_rand_add ^ n) with n > 0. >> >> If consecutive calls to ssleay_rand_bytes without intermediate calls >> to ssleay_rand_add are allowed, your objection is obviously more than >> justified. > > Many applications call ssleay_rand_add (or one of the wrapper functions) > only once at application startup with data for example from /dev/random. > People wearing both belt and suspenders may want to call ssleay_rand_add > periodically during application runtime, but that's not necessary in the > strict sense.
In this case the RNG degenerates to a simple *pseudo* RNG with random seed. This is not a best effort strategy and hence, in my opinion, not a good idea for applications that try to implement security. >>>> - do not mix bits of the given output buffer into the internal entropy >>>> pool. Hm, the recent Debian case seems to prevent discussions about this point :) >>>> Note that the second improvement may totally break already broken >>>> client software. >>> >>> Why would it? >> >> >> Clients that do not call ssleay_rand_add at all would probably get a >> random series with even less variance than the debianized one has. > > Clients not calling ssleay_rand_add at all get *no* random series, but an > error code when calling ssleay_rand_bytes (and an error message requesting > to read the OpenSSL FAQ, http://www.openssl.org/support/faq.html). Thank you for pointing this out. ______________________________________________________________________ OpenSSL Project http://www.openssl.org Development Mailing List openssl-dev@openssl.org Automated List Manager [EMAIL PROTECTED]
