Hi Harald and Geoff,

Harald Welte wrote:
I searched the list archives but couldn't find anything apart from that single
message by Michal to the list.  He is talking about someobody having asked him
to add testsuite support, but he didn't exactly know what he needs to add.

I could not find any evidence of any prior or later discussion on that subject.

Maybe Michal could enlighten us :)

There has been some discussion regarding SHA1 and SHA256 support in 2005 on openssl-dev list. I was dealing mainly with Andy Polyakov on the OpenSSL side at that time. Have a look here: http://marc.info/?t=112781676100001&r=1&w=4 for a thread about SHA1 integration and here: http://marc.info/?l=openssl-dev&m=112782644132216&w=4
for SHA256 patch.

And finally the one you already knew about. That's the final "works for me" version ready to be committed to openssl tree current at that time (may not apply smoothly anymore, I don't know): http://marc.info/?l=openssl-dev&m=115243758508970&w=4

I don't think there's any taboo or a strong opposition against the patch. It's just that Andy hasn't followed up, I sort of given up and moved to other projects and the whole thing has gone forgotten.

As for the RNG stuff, if you are able to find any references to
discussion and/or cvs commits regarding the "deactivation by OpenSSL
maintainers" then that would make it easier for me to follow up too.
TIA.

At http://www.logix.cz/michal/devel/padlock/index.xp?show_selected=1&msgid=1050 I found the quote "Stock OpenSSL as packaged in linux distros or as available from openssl.org
 has the RNG engine intentionally disabled. Thus "no-RNG". My patches have it
 enables, so you see "RNG". See the source for the reasons to enable/disable
 RNG."

which seems to indicate that Michal Ludvig's original code has it enabled, but
OpenSSL mainline disabled it.

I searched the list archives and RT before, but didn't find anything on either
the RNG or the SHA issue.

Have a look here:
http://marc.info/?l=openssl-dev&m=109113625526391&w=2
and in the corresponding thread for the discussion.

FWIW even in the Linux kernel the hardware RNGs (incl. VIA PadLock) are not used directly for RNG output but instead to feed the entropy pool. I quite agree with the reasons why OpenSSL shouldn't use whatever it gets from PadLock RNG *directly* as a stream of random numbers. Unfortunately as soon as PadLock engine registers as a RNG provider OpenSSL won't do any post-processing of the random data and therefore the best bet at that time was not to use PadLock's RNG.

Michal
______________________________________________________________________
OpenSSL Project                                 http://www.openssl.org
Development Mailing List                       openssl-dev@openssl.org
Automated List Manager                           [EMAIL PROTECTED]

Reply via email to