Re: heimdal and OpenSSL

[Richard Levitte - VMS Whacker <levitte@stacken.kth.se>]

From: "Jacques A. Vidrine" <n@nectar.com>

n> > 1. OpenSSL does not have des_new_random_key(), which Heimdal uses
n> 
n> The *BSD systems provide this in libcrypto.  One could always use the
n> one Heimdal provides on systems without it. 

As an OpenSSL developer, I'd like to know what's the actual benefit of
Heimdals des_new_random_key() over OpenSSLs des_random_key().  I
understand it's based on a different PRNG, is that the only real
difference, or does the scrambling with des_ecb_encrypt() have a
meaning I can't detect yet?

The actual main difference that I can detect is that the PRNG in
Heimdals rnd_keys.c can take seeding from any of /dev/{,s,u}random
(it's quite possible that I'll borrow some ideas for OpenSSL
there...).

In any case, since des_random_key() is provided in Heimdal for
backward compatibility, can one assume that it and
des_new_random_key() are actually interchangeable?  The comments in
Heimdals des.h seem to suggest that...

In that case, it might be possible for us to provide
des_new_random_key() as an entry point in OpenSSL.  We'll see...

n> > 2. It breaks on every operating system which do not have /dev/urandom
n> >    (see the OpenSSL sources); my patch has egd support too
n> 
n> What is `It' in the sentence above?

I'd assume he means OpenSSL :-).  And it isn't quite true, the PRNG
part works fairly well on Windows...

-- 
Richard Levitte   \ Spannvägen 38, II \ LeViMS@stacken.kth.se
Chairman@Stacken   \ S-168 35  BROMMA  \ T: +46-8-26 52 47
Redakteur@Stacken   \      SWEDEN       \ or +46-709-50 36 10
Procurator Odiosus Ex Infernis                -- poei@bofh.se
Member of the OpenSSL development team: http://www.openssl.org/
Software Engineer, Celo Communications: http://www.celocom.com/

Unsolicited commercial email is subject to an archival fee of $400.
See <http://www.stacken.kth.se/~levitte/mail/> for more info.