diff options
Diffstat (limited to 'secure/lib/libcrypto/man/RAND_egd.3')
| -rw-r--r-- | secure/lib/libcrypto/man/RAND_egd.3 | 92 |
1 files changed, 33 insertions, 59 deletions
diff --git a/secure/lib/libcrypto/man/RAND_egd.3 b/secure/lib/libcrypto/man/RAND_egd.3 index cd4d91a80d6cc..15971f5edd22b 100644 --- a/secure/lib/libcrypto/man/RAND_egd.3 +++ b/secure/lib/libcrypto/man/RAND_egd.3 @@ -128,8 +128,8 @@ .rm #[ #] #H #V #F C .\" ======================================================================== .\" -.IX Title "RAND_egd 3" -.TH RAND_egd 3 "2018-08-14" "1.0.2p" "OpenSSL" +.IX Title "RAND_EGD 3" +.TH RAND_EGD 3 "2018-09-11" "1.1.1" "OpenSSL" .\" For nroff, turn off justification. Always turn off hyphenation; it makes .\" way too many mistakes in technical documents. .if n .ad l @@ -141,75 +141,49 @@ RAND_egd, RAND_egd_bytes, RAND_query_egd_bytes \- query entropy gathering daemon .Vb 1 \& #include <openssl/rand.h> \& +\& int RAND_egd_bytes(const char *path, int num); \& int RAND_egd(const char *path); -\& int RAND_egd_bytes(const char *path, int bytes); \& -\& int RAND_query_egd_bytes(const char *path, unsigned char *buf, int bytes); +\& int RAND_query_egd_bytes(const char *path, unsigned char *buf, int num); .Ve .SH "DESCRIPTION" .IX Header "DESCRIPTION" -\&\fIRAND_egd()\fR queries the entropy gathering daemon \s-1EGD\s0 on socket \fBpath\fR. -It queries 255 bytes and uses \fIRAND_add\fR\|(3) to seed the -OpenSSL built-in \s-1PRNG.\s0 RAND_egd(path) is a wrapper for -RAND_egd_bytes(path, 255); +On older platforms without a good source of randomness such as \f(CW\*(C`/dev/urandom\*(C'\fR, +it is possible to query an Entropy Gathering Daemon (\s-1EGD\s0) over a local +socket to obtain randomness and seed the OpenSSL \s-1RNG.\s0 +The protocol used is defined by the EGDs available at +<http://egd.sourceforge.net/> or <http://prngd.sourceforge.net>. .PP -\&\fIRAND_egd_bytes()\fR queries the entropy gathering daemon \s-1EGD\s0 on socket \fBpath\fR. -It queries \fBbytes\fR bytes and uses \fIRAND_add\fR\|(3) to seed the -OpenSSL built-in \s-1PRNG.\s0 -This function is more flexible than \fIRAND_egd()\fR. -When only one secret key must -be generated, it is not necessary to request the full amount 255 bytes from -the \s-1EGD\s0 socket. This can be advantageous, since the amount of entropy -that can be retrieved from \s-1EGD\s0 over time is limited. +\&\fIRAND_egd_bytes()\fR requests \fBnum\fR bytes of randomness from an \s-1EGD\s0 at the +specified socket \fBpath\fR, and passes the data it receives into \fIRAND_add()\fR. +\&\fIRAND_egd()\fR is equivalent to \fIRAND_egd_bytes()\fR with \fBnum\fR set to 255. .PP -\&\fIRAND_query_egd_bytes()\fR performs the actual query of the \s-1EGD\s0 daemon on socket -\&\fBpath\fR. If \fBbuf\fR is given, \fBbytes\fR bytes are queried and written into -\&\fBbuf\fR. If \fBbuf\fR is \s-1NULL,\s0 \fBbytes\fR bytes are queried and used to seed the -OpenSSL built-in \s-1PRNG\s0 using \fIRAND_add\fR\|(3). -.SH "NOTES" -.IX Header "NOTES" -On systems without /dev/*random devices providing entropy from the kernel, -the \s-1EGD\s0 entropy gathering daemon can be used to collect entropy. It provides -a socket interface through which entropy can be gathered in chunks up to -255 bytes. Several chunks can be queried during one connection. +\&\fIRAND_query_egd_bytes()\fR requests \fBnum\fR bytes of randomness from an \s-1EGD\s0 at +the specified socket \fBpath\fR, where \fBnum\fR must be less than 256. +If \fBbuf\fR is \fB\s-1NULL\s0\fR, it is equivalent to \fIRAND_egd_bytes()\fR. +If \fBbuf\fR is not \fB\s-1NULL\s0\fR, then the data is copied to the buffer and +\&\fIRAND_add()\fR is not called. .PP -\&\s-1EGD\s0 is available from http://www.lothar.com/tech/crypto/ (\f(CW\*(C`perl -Makefile.PL; make; make install\*(C'\fR to install). It is run as \fBegd\fR -\&\fIpath\fR, where \fIpath\fR is an absolute path designating a socket. When -\&\fIRAND_egd()\fR is called with that path as an argument, it tries to read -random bytes that \s-1EGD\s0 has collected. \fIRAND_egd()\fR retrieves entropy from the -daemon using the daemon's \*(L"non-blocking read\*(R" command which shall -be answered immediately by the daemon without waiting for additional -entropy to be collected. The write and read socket operations in the -communication are blocking. -.PP -Alternatively, the EGD-interface compatible daemon \s-1PRNGD\s0 can be used. It is -available from -http://prngd.sourceforge.net/ . -\&\s-1PRNGD\s0 does employ an internal \s-1PRNG\s0 itself and can therefore never run -out of entropy. -.PP -OpenSSL automatically queries \s-1EGD\s0 when entropy is requested via \fIRAND_bytes()\fR -or the status is checked via \fIRAND_status()\fR for the first time, if the socket -is located at /var/run/egd\-pool, /dev/egd\-pool or /etc/egd\-pool. -.SH "RETURN VALUE" -.IX Header "RETURN VALUE" +OpenSSL can be configured at build time to try to use the \s-1EGD\s0 for seeding +automatically. +.SH "RETURN VALUES" +.IX Header "RETURN VALUES" \&\fIRAND_egd()\fR and \fIRAND_egd_bytes()\fR return the number of bytes read from the -daemon on success, and \-1 if the connection failed or the daemon did not +daemon on success, or \-1 if the connection failed or the daemon did not return enough data to fully seed the \s-1PRNG.\s0 .PP \&\fIRAND_query_egd_bytes()\fR returns the number of bytes read from the daemon on -success, and \-1 if the connection failed. The \s-1PRNG\s0 state is not considered. +success, or \-1 if the connection failed. .SH "SEE ALSO" .IX Header "SEE ALSO" -\&\fIrand\fR\|(3), \fIRAND_add\fR\|(3), -\&\fIRAND_cleanup\fR\|(3) -.SH "HISTORY" -.IX Header "HISTORY" -\&\fIRAND_egd()\fR is available since OpenSSL 0.9.5. -.PP -\&\fIRAND_egd_bytes()\fR is available since OpenSSL 0.9.6. -.PP -\&\fIRAND_query_egd_bytes()\fR is available since OpenSSL 0.9.7. +\&\fIRAND_add\fR\|(3), +\&\fIRAND_bytes\fR\|(3), +\&\s-1\fIRAND\s0\fR\|(7) +.SH "COPYRIGHT" +.IX Header "COPYRIGHT" +Copyright 2000\-2018 The OpenSSL Project Authors. All Rights Reserved. .PP -The automatic query of /var/run/egd\-pool et al was added in OpenSSL 0.9.7. +Licensed under the OpenSSL license (the \*(L"License\*(R"). You may not use +this file except in compliance with the License. You can obtain a copy +in the file \s-1LICENSE\s0 in the source distribution or at +<https://www.openssl.org/source/license.html>. |