[PATCH] Adding diversity for security
tmroeder at google.com
Wed Oct 2 10:28:14 PDT 2013
>From what I've seen, it's been quite stable. Looking back in the git
logs of openssl, it looks like the last time a change touched rand.h
was in 2011, and that was just to add FIPS stuff. Then the last change
before then was in 2009. So, I would say it's safe to rely on it.
On Wed, Oct 2, 2013 at 10:19 AM, Stephen Crane <sjcrane at uci.edu> wrote:
> You make a very good point which I never actually considered. I confess that
> I am not very familiar with the OpenSS APIL and was simply looking for a
> drop-in replacement for our existing simple AES implementation, which had a
> conflicting open-source license. Looking at the the OpenSSL RNG now, I see
> no problems with it as long as it is stable between versions.
> - Stephen
> On 10/02/13 10:02, Tom Roeder wrote:
>> OpenSSL provides a facility for getting cryptographically strong
>> pseudorandom numbers: see <openssl/rand.h>. You can call
>> RAND_bytes(unsigned char *buf, int num) to get a given number of
>> random bytes. It also supports seeding and state files; see
>> http://www.openssl.org/docs/crypto/rand.html for the full API. From a
>> cursory look at the patch, it seems like the RandomNumberGenerator
>> calls could be passed through mostly directly to OpenSSL if libcrypto
>> is available.
>> Maybe I'm missing something: do you have requirements that aren't met
>> by the existing OpenSSL rand functionality?
>> On Wed, Oct 2, 2013 at 6:34 AM, Alex Rosenberg <alexr at leftfield.org>
>>> I'm not a crypto geek but... I think the choices of seeds need to be
>>> explained in the comments.
>>> For example, the result of malloced memory is likely to be just zeros on
>>> some platforms and the addresses of command line argument pointers is likely
>>> to be constant between runs.
>>>> On Oct 1, 2013, at 3:13 PM, Stephen Crane <sjcrane at uci.edu> wrote:
>>>> Adds the capability to randomly insert NOPs, permuting the code layout,
>>>> as well as the option to randomize scheduling decisions. Includes an
>>>> OpenSSL-linked RNG to provide secure random number generation.
>>>> llvm-commits mailing list
>>>> llvm-commits at cs.uiuc.edu
>>> llvm-commits mailing list
>>> llvm-commits at cs.uiuc.edu
More information about the llvm-commits