i.e.  Choose option (1)

> On 27 Jul 2020, at 11:14 am, SHANE LONTIS <shane.lon...@oracle.com> wrote:
> 
> If this is not going to break 99% of users + it improves the interface + the 
> replacement to achieve the same is a few lines of code and is likely to occur 
> in one place in an app, then it seems reasonable to change it to me.
> 
> 
>> On 27 Jul 2020, at 11:08 am, Dr Paul Dale <paul.d...@oracle.com 
>> <mailto:paul.d...@oracle.com>> wrote:
>> 
>> The RAND_DRBG (crypto/rand/drbg_lib) APIs are quite some mess and sit badly 
>> with the move to provider based infrastructure.
>> They are definitely being deprecated in master but without more, the extra 
>> layer of indirection and additional complexity generating random numbers 
>> will remain.
>> 
>> The option I see are:
>> 
>> 1. Remove, rather than deprecate, RAND_DRBG in 3.0.  This is a breaking 
>> change.
>> 2. Bypass RAND_DRBG and live with a breaking change (refer: 
>> https://github.com/openssl/openssl/pull/12509#pullrequestreview-455396828 
>> <https://urldefense.com/v3/__https://github.com/openssl/openssl/pull/12509*pullrequestreview-455396828__;Iw!!GqivPVa7Brio!P_SYCN9POdf1ZT1I7v4h9G_oUTuels90DxKk1JmFkD7HcXsTPr9n0s3FX3XZZo_c2Q$>)
>> 3. Leave things as they currently are in master.
>> 
>> The first two are breaking changes and will require an OMC vote.
>> 
>> 
>> Some pertinent points:
>> 
>> 1. RAND_bytes will continue to work as is — this API is perfect for almost 
>> everyone.
>> 2. The RAND_METHOD functionality remains — this allows wholesale replacement 
>> of OpenSSL’s RNGs if desired.
>> 3. The name EVP_RAND is the working name and might change — this is not 
>> relevant to this discussion.
>> 4. The RAND_DRBG APIs are unlikely to be widely used — they were introduced 
>> in 1.1.1.  The two users I know of (Akamai and NCP) are both fine with them 
>> being removed.
>> 
>> 
>> Thoughts anyone?
>> 
>> 
>> Pauli
>> -- 
>> Dr Paul Dale | Distinguished Architect | Cryptographic Foundations 
>> Phone +61 7 3031 7217
>> Oracle Australia
>> 
> 

Reply via email to