On 27 May 2014 11:11, Ben Laurie <b...@links.org> wrote: > On 27 May 2014 09:16, Joseph Birr-Pixton <jpix...@gmail.com> wrote: >> To restate: >> >> Callers of RAND_pseudo_bytes are either unreliable, or equivalent to >> RAND_bytes. Do not use it. > > Have I missed something? What are you referring to here?
RAND_pseudo_bytes returns: 1 when everything worked (equivalent to RAND_bytes behaviour) 0 when everything worked, but the entropy estimator attached to the PRNG wants it to be reseeded 0 when nothing worked (memory allocation failure, IO error, etc.) -1 if the function isn't supported by the current RAND_METHOD. The documentation doesn't mention the third case, leading to things like: https://github.com/openssl/openssl/blob/master/crypto/dsa/dsa_gen.c#L208 (Stack disclosure in low memory/low fd conditions.) A full writeup (along with behaviours of all the RAND_METHODs in current trunk) is at: http://jbp.io/2014/01/16/openssl-rand-api/ Cheers, Joe ______________________________________________________________________ OpenSSL Project http://www.openssl.org Development Mailing List openssl-dev@openssl.org Automated List Manager majord...@openssl.org
