Re: OpenSSL with EGD?

Lutz Jaenicke Tue, 16 May 2000 00:08:32 -0700
On Mon, May 15, 2000 at 03:43:19PM -0600, Allen J. Newton wrote:
> > 2. The RAND_egd() function does not give any diagnostic output.
> >    Print out the return value to see whether it is "-1" (error condition)
> >    or a positive number. The positive number is the number of entropy
> >    bytes obtained (255 is the maximum you can get from EGD with one query).
> 
> Okay, I haven't done this, yet, but still have the question about where to put
> the RAND_egd() call -- was it intended to replace existing RAND_seed() calls?
> Or is it intended to supplement them?  Or is it supposed to be called before
> anything else?

The RAND_egd() function reads entropy from the EGD socket and directly
feeds it into the PRNG.
The absolut minimum amount of seed is 16 bytes. If EGD is not drained, one
call to RAND_egd() will give you 255 bytes.
So depending on your environment you can use RAND_egd() as a replacement
for RAND_seed() or you can use both to collect even more entropy.
[The PRNG has 8192 state bits (1024 bytes), all calls to RAND_seed/egd()
or whatever functions will increase the entropy in the pool, so adding to
much never harms :-)]

> I just haven't discovered whether the RAND_egd() changes need to be made to
> openssl code, stunnel code, or both.  Any further pointers greatly
> appreciated.
The changes need to be made to the stunnel code.
Call RAND_egd early. You can call it first, before doing anything else,
since the PRNG does not depend on any other item while the other functions
may depend on the PRNG.
If Michal won't do it, add a new option "-egd filename" and then call
(symbolic notation)
entropy = RAND_egd(argument_filename);
if (entropy < 0)
  error_message("Could not open EGD socket %s", argument_filename);
else
  information("Seeded PRNG with %d bytes from EGD", entropy);

> > The release of stunnel 3.8 predates the release of OpenSSL 0.9.5 (the first
> > release forcing correct seeding of the PRNG) by 4 days, so probably stunnel
> > is not yet aware of that change. Please contact Michal and kindly ask him
> > for an update of his widly used package.
> 
> Thanks very much, I'll try that tonight...

Good luck,
        Lutz
-- 
Lutz Jaenicke                             [EMAIL PROTECTED]
BTU Cottbus               http://www.aet.TU-Cottbus.DE/personen/jaenicke/
Lehrstuhl Allgemeine Elektrotechnik                  Tel. +49 355 69-4129
Universitaetsplatz 3-4, D-03044 Cottbus              Fax. +49 355 69-4153
______________________________________________________________________
OpenSSL Project                                 http://www.openssl.org
Development Mailing List                       [EMAIL PROTECTED]
Automated List Manager                           [EMAIL PROTECTED]
Re: OpenSSL with EGD?

Reply via email to
