Knowledge of the platform is a required part of the OpenSSL configuration. If the platform supports HRNG (usually in the form of CPU instructions), use it: let OpenSSL mix its output with whatever other randomness sources it picks on that platform/system. IMHO that’s the best strategy.
Thankfully, many of the newer platforms support those instructions. For those that don’t – you’d have to either rely on the OS, or try to play OS (which is difficult if the OS is not friendly, and impossible if the OS is hostile). PGP used to collect randomness from the user keyboard input. That may be fine for some applications – but a no-go for a library, IMHO. -- Regards, Uri Blumenthal
smime.p7s
Description: S/MIME cryptographic signature
-- openssl-dev mailing list To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-dev