Nicolas Roumiantzeff <[EMAIL PROTECTED]>:
>> There should be some workaround for systems without /dev/urandom !
> I posted a pointer to a to a secure random mechanism which is portable and
> does not rely on the user input and because of the continuous number of
> complaints on the subject, I am quite surprised that no one asked for this
> or a similar mechanism to be integrated into OpenSSL.
>
> This random number package, called librand, is based on event interval
> variations:
> ftp://ftp.research.att.com/dist/mab/librand.shar
It's not that portable (for getting CFS to work, I had to replace the
roulette() function by an implementation that simply reads from
/dev/urandom -- for reasons I did not investige further, SIGALRM never
occurred, resulting in an endless loop). Also note that the software
self-describes as "a dubious, unproven hack for generating "true"
random numbers in software."
(In fact, even that shar file is not portable -- it uses CRLF as line
ends, meaning that it tries to call /bin/sh^M etc.)
In any case, the library should never automatically call stuff
like this (although it might be provided in standard functions
that applications may use if it's deemed appropriate).
______________________________________________________________________
OpenSSL Project http://www.openssl.org
Development Mailing List [EMAIL PROTECTED]
Automated List Manager [EMAIL PROTECTED]
