On Mon, Jul 28, 2025 at 4:36 AM Daniel Gustafsson <daniel@yesql.se> wrote:
> There has in the past been discussions (at least off-list in hallway tracks)
> about allowing randomness to be chosen separately from underlying factors such
> as OpenSSL support, at the time it didn't seem worth the trouble but that may
> well have changed.
Yeah, especially if other options with similar strength could be much
faster. But the comparison is really going to be OS-dependent [1, 2].
> With OpenSSL 1.1.1 being the baseline we can also make use of the _priv_bytes
> functions to get increased isolation.
Hmm, that's an interesting idea too.
To move this forward a tiny bit: I would be okay with maintaining a
new getentropy() case. (I'm less excited about getrandom() because of
its reduced reach.) And maybe down the line we should discuss choosing
an option at configure time?
--Jacob
[1] https://lwn.net/Articles/983186/
[2] https://dotat.at/@/2024-10-01-getentropy.html
