Hi Geoff, On Sun, Sep 21, 2008 at 11:20:35PM -0400, Geoff Thorpe wrote:
> Looking at this in more detail, the current s/w PRNG implementation keeps a > running 'entropy' count and when that reaches a certain threshold, it stops > maintaining an entropy counter because the PRNG is considered sufficiently > seeded. Each platform (roughly speaking) has its own implementation of > RAND_poll() which does some canonical seeding, which may be enough to get the > PRNG off the ground, or if not, the application will need to RAND_add() (or > RAND_seed()) some more entropy before the PRNG is ready. In any case, this > doesn't adapt so well to a model where entropy sources live as callbacks and > get called by the PRNG when required. It's more a model where an entropy > source should just stuff its entropy into the PRNG as soon as it gets a > chance, and preferably as much of the stuff as it has handy. It can always > add more later and no harm will be done, but there's no obvious way to add a > hook to ask for entropy automatically. Sounds perfectly reasonable and I totally understand. It really is strange that you have to poll for random numbers rather than somebody feeding them into you. > With this in mind, I'm wondering if the simplest thing to do isn't just to > have the padlock (or any other) engine call RAND_add() with some entropy > during the init() handler of the ENGINE itself (rather than in a > RAND_METHOD). That doesn't solve the problem of adding more entropy as time > goes by, but it's better than the current situation (only having a > RAND_METHOD mechanism you can't use at all), and moreover it requires no > interface changes, just implementation... > > Thoughts? Sounds completely fine with me. I'll do some experimentation after I'm finished with the PadLock PHE (hashing) stuff and cook up a patch. Since I'm currently quite busy it will probably take some time. -- - Harald Welte <[EMAIL PROTECTED]> http://laforge.gnumonks.org/ ============================================================================ "Privacy in residential applications is a desirable marketing option." (ETSI EN 300 175-7 Ch. A6)
signature.asc
Description: Digital signature
