> -Ursprüngliche Nachricht-
> Von: openssl-dev [mailto:openssl-dev-boun...@openssl.org] Im Auftrag von Matt
> Caswell
> Gesendet: Dienstag, 29. August 2017 16:36
> An: openssl-dev@openssl.org
> Betreff: Re: [openssl-dev] Plea for a new public OpenSSL RNG API
>
>
>
> On 29/08/17 15:02,
> I realize that reseed() not only mixes my “additional input” but also
> replaces the entire state. NIST does
> not specify interface to “just” mix the “additional input” into the state
> without replacing the whole state
> with some fresh entropy by calling Get_entropy_input(). Maybe we can
> -Ursprüngliche Nachricht-
> Von: openssl-dev [mailto:openssl-dev-boun...@openssl.org] Im Auftrag von
> Blumenthal, Uri - 0553 - MITLL
> Gesendet: Mittwoch, 30. August 2017 17:23
> An: openssl-dev@openssl.org
> Betreff: Re: [openssl-dev] Plea for a new public OpenSSL RNG API
>
> ...
> >
To access a PKCS#11 randomness source, it would be necessary to have an engine
that implemented whatever new RNG API is defined which in turn talks to the P11
device. Possibly not ideal but workable.
As for the entropy argument to RAND_add et al, the callee will use it in a
manner suitable to
On 8/30/17, 00:59, "openssl-dev on behalf of Paul Dale"
wrote:
>My thoughts are that the new RNG API should be made public once it has
>been properly designed. We've a chance to get this right, let's take the
> time
>
> > We have a similar situation, on a small hardware device with little
> own entropy
> > but with a smartcard reader.
>
> Yes, but in most cases you cannot count on the smartcard (or smartcard-like
> device) being in the reader.
> Which is why in my opinion this is an ideal case for
>> I would do exactly the opposite. “Normal” entropy is fetched from the
default sources (/dev/urandom). But
>> when a sensitive (aka long-term) keys are generated, a (portable :)
hardware RNG is plugged in and used with
>> RAND_add() equivalent. Reason – in my setup reliable trusted
Hi All,
I am trying to build openssl. As part of that I want to remove some ciphers
like md4, rc5 etc.
I tried ./config no-md5, no-rc5 and ./Configure no-md5, no-rc5. In both the
case MD4 and RC5 directories are still getting compiled.
Please can you let me know what could be going wrong.