On Thu, Sep 11, 2008 at 09:32:14AM -0400, Geoff Thorpe wrote: > > > I don't think there's any taboo or a strong opposition against the > > > patch. It's just that Andy hasn't followed up, I sort of given up and > > > moved to other projects and the whole thing has gone forgotten. > > > > Ok. I hope after my re-merge and testing we can get it integrated this > > time. > > BTW, my memory is vague here, is this Padlock block only able to do one-shot > hashing?
Yes, in all current CPU's (up to the C7), it is. There's a beatiful workaround by Michal and Andy which they have implemented in phe_sum by making the process page fault every time they need to copy in a new buffer (since the PHE is context-switch safe). I have heard rumours that the new CN (Nano) can do incremental hashing. As soon as I have access to the hardware and the docs I'll add that on top of the old code. In any case, there are many applications, mainly network security apps such as ssh and opencpn for which the 8k buffer of Michal's patch is enough. > > Yes, after reviewing the discussion and documentation I tend to agree. So > > the best option really is to make OpenSSL use the userspace interface for > > the kernel random number generator, and feed that kernel RNG's entropy pool > > from the hardware RNG. > > Ohhhh, right, I see know. Yes this is a bit crap. The problem IMHO is that > RAND_METHOD is the "wholesale replacement" interface. Ie. the entire software > PRNG sits behind that interface, no matter how it obtains its entropy, and > using an alternative RAND_METHOD will completely bypass the software PRNG. yes, exactly. > > I'll submit a patch to OpenSSL which gives a more detailed description in > > the comment since I think it is sort of like a FAQ for those people who > > actually discover the padlocn no-RNG flag :) > > I will see if I can sketch an ENTROPY_METHOD that would improve this > situation. great, thanks. -- - Harald Welte <[EMAIL PROTECTED]> http://laforge.gnumonks.org/ ============================================================================ "Privacy in residential applications is a desirable marketing option." (ETSI EN 300 175-7 Ch. A6)
signature.asc
Description: Digital signature