On Thu, Sep 11, 2008 at 09:06:39PM +0800, Harald Welte wrote: > > Yes, after reviewing the discussion and documentation I tend to agree. So the > best option really is to make OpenSSL use the userspace interface for the > kernel random number generator, and feed that kernel RNG's entropy pool from > the hardware RNG.
Please don't do this in an engine; the extra syscalls will murder performance. One of the nicest things about the VIA crypto accellerator is that it is really just so many extra, unprivileged instructions. So you don't have to do any system calls or even any special memory accesses to use it -- so you don't incur performance side-effects that make your whole program run slowly though the crypto seems to run fast. The right thing to do is to *fix the Engine interface and the RNG code* so an Engine can supply random bits without replacing the entire RNG. Thor ______________________________________________________________________ OpenSSL Project http://www.openssl.org Development Mailing List openssl-dev@openssl.org Automated List Manager [EMAIL PROTECTED]