>>> 3. What should I do if I want a given source to be used in addition to the
>>> other sources, regardless of whether openssl thinks it got “enough bits” of
>>> randomness or not?
>> Modify the source :)
> Very bad answer.
And also a wrong one. Your application can always call RAND_add(). Sorry for
mistake.
> I have no problem reading the source code. I do have a problem with (a)
> important decisions like this not “formalized” and documented, and (b)
> mechanisms to tune the RNG seeding not provided and clearly and
> comprehensively documented.
This is a mostly volunteer open source project. We are unlikely to commit to
something that requires so much effort when, frankly, most of the consumers
aren’t interested, or qualified, to make an assessment. I am sorry if that
sounds obnoxious or conceited. It shouldn’t; there are many things that I know
I’m not qualified to comment on :) And also, we reserve the right to make
changes.
I expect that the FIPS project, just starting, will be of interest to you.
--
openssl-dev mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-dev
