Hello Richard, Yes, I see what this comment means. But what's the difference between RAND_bytes() and RAND_pseudo_bytes() then? They seems to be using exactly the same amount of entropy and can't ever fail or return `0` (meaning that data is insecure).
In my opinion, current implementation could be a RAND_pseudo_bytes() backend, and RAND_bytes() should be something more secure (considering that it is how its described in man documentation). Cheers, Fedor. On Wed, Oct 23, 2013 at 6:53 PM, Richard Könning < richard.koenn...@ts.fujitsu.com> wrote: > Am 21.10.2013 13:09, schrieb Fedor Indutny: > > Hello devs! >> >> I just found that its impossible to get error from `RAND_bytes()` if >> running on default `RAND_SSLeay()` method. >> >> There're a couple of reasons and observations, that are confirming it >> (sorry for using github, its just more convenient to me): >> >> 1. `RAND_poll()` is called only once in initialization of method: >> https://github.com/openssl/**openssl/blob/master/crypto/** >> rand/md_rand.c#L436-L440<https://github.com/openssl/openssl/blob/master/crypto/rand/md_rand.c#L436-L440> >> and >> https://github.com/openssl/**openssl/blob/master/crypto/** >> rand/md_rand.c#L648-L652<https://github.com/openssl/openssl/blob/master/crypto/rand/md_rand.c#L648-L652> >> 2. Static variable `entropy`, which is used to determine if the PRNG >> output is secure is never decreased, and actually stays exactly at >> `ENTROPY_NEEDED` value all the time. This happens because `entropy -= >> ...` happens only in following condition: >> https://github.com/openssl/**openssl/blob/master/crypto/** >> rand/md_rand.c#L446-L463<https://github.com/openssl/openssl/blob/master/crypto/rand/md_rand.c#L446-L463> >> , >> which is always true. >> >> I think I can contribute a patch to make it work properly, if this isn't >> an intended behavior. >> > > Well, the comment in the code states it imho clearly that this *is* > intended behavior: > > * Once we've had enough initial seeding we don't bother to >> * adjust the entropy count, though, because we're not ambitious >> * to provide *information-theoretic* randomness. >> > > Ciao > Richard > ______________________________**______________________________**__________ > OpenSSL Project http://www.openssl.org > Development Mailing List openssl-dev@openssl.org > Automated List Manager majord...@openssl.org >
