On Fri, Oct 23, 2015 at 05:40:29PM +0300, Dmitry Belyavsky wrote: > Hello Alexander, > > On Fri, Oct 23, 2015 at 4:22 PM, Alessandro Ghedini <alessan...@ghedini.me> > wrote: > > > > So, any thought? If there's interest in this, I can look into investigating > > these things more in detail and propose possible patches. > > > > > In Russia we have to certify the RNG hardware and software for using in > organizations where the certified products are required. > Currently we are able to implement custom RAND_METHODs and provide it via > engines. So if the hardware is unavailable, the RAND_bytes() call fails. > > In the 1.0.* versions of the OpenSSL library not all calls to RAND* > functions were checked for success, and it caused some problems. > LibreSSL treats their RNG functions as never-failed, and I do not know > about BoringSSL. > > So we need non-void RAND API and possibility to provide our own > RAND_METHODs. If the current code is to be refactored, I ask to leave these > options possible.
Yeah, the idea is to keep the current ENGINE API, and only change the default RAND_METHOD which is returned by RAND_SSLeay(). So if you use any other RNG this change shouldn't affect you. Cheers
signature.asc
Description: PGP signature
_______________________________________________ openssl-dev mailing list To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-dev
