Re: [openssl-dev] Plea for a new public OpenSSL RNG API

> -Ursprüngliche Nachricht- > Von: openssl-dev [mailto:openssl-dev-boun...@openssl.org] Im Auftrag von Matt > Caswell > Gesendet: Dienstag, 29. August 2017 16:36 > An: openssl-dev@openssl.org > Betreff: Re: [openssl-dev] Plea for a new public OpenSSL RNG API > > > > On 29/08/17 15:02,

Re: [openssl-dev] Plea for a new public OpenSSL RNG API

> I realize that reseed() not only mixes my “additional input” but also > replaces the entire state. NIST does > not specify interface to “just” mix the “additional input” into the state > without replacing the whole state > with some fresh entropy by calling Get_entropy_input(). Maybe we can

Re: [openssl-dev] Plea for a new public OpenSSL RNG API

> -Ursprüngliche Nachricht- > Von: openssl-dev [mailto:openssl-dev-boun...@openssl.org] Im Auftrag von > Blumenthal, Uri - 0553 - MITLL > Gesendet: Mittwoch, 30. August 2017 17:23 > An: openssl-dev@openssl.org > Betreff: Re: [openssl-dev] Plea for a new public OpenSSL RNG API > > ... > >

Re: [openssl-dev] Plea for a new public OpenSSL RNG API

To access a PKCS#11 randomness source, it would be necessary to have an engine that implemented whatever new RNG API is defined which in turn talks to the P11 device. Possibly not ideal but workable. As for the entropy argument to RAND_add et al, the callee will use it in a manner suitable to

Re: [openssl-dev] Plea for a new public OpenSSL RNG API

On 8/30/17, 00:59, "openssl-dev on behalf of Paul Dale" wrote: >My thoughts are that the new RNG API should be made public once it has >been properly designed. We've a chance to get this right, let's take the > time >

Re: [openssl-dev] Plea for a new public OpenSSL RNG API

> > We have a similar situation, on a small hardware device with little > own entropy > > but with a smartcard reader. > > Yes, but in most cases you cannot count on the smartcard (or smartcard-like > device) being in the reader. > Which is why in my opinion this is an ideal case for

Re: [openssl-dev] Plea for a new public OpenSSL RNG API

>> I would do exactly the opposite. “Normal” entropy is fetched from the default sources (/dev/urandom). But >> when a sensitive (aka long-term) keys are generated, a (portable :) hardware RNG is plugged in and used with >> RAND_add() equivalent. Reason – in my setup reliable trusted

[openssl-dev] how to compile out selected ciphers

Hi All, I am trying to build openssl. As part of that I want to remove some ciphers like md4, rc5 etc. I tried ./config no-md5, no-rc5 and ./Configure no-md5, no-rc5. In both the case MD4 and RC5 directories are still getting compiled. Please can you let me know what could be going wrong.