X-Git-Url: https://git.openssl.org/gitweb/?p=openssl.git;a=blobdiff_plain;f=doc%2Fman3%2FRAND_add.pod;h=b6753fd2ed0b1b0cac0885303226b90d76ed0622;hp=ea81492c2c55797e2549640cc26853863e1ab98d;hb=c7504aeb640a88949dfe3146f7e0f275f517464c;hpb=4871fa49cdd0d4473b6a815fc01fbde3e6ced339 diff --git a/doc/man3/RAND_add.pod b/doc/man3/RAND_add.pod index ea81492c2c..b6753fd2ed 100644 --- a/doc/man3/RAND_add.pod +++ b/doc/man3/RAND_add.pod @@ -2,8 +2,8 @@ =head1 NAME -RAND_add, RAND_poll, RAND_poll_ex, RAND_poll_cb, -RAND_seed, RAND_status, RAND_event, RAND_screen +RAND_add, RAND_poll, RAND_seed, RAND_status, RAND_event, RAND_screen, +RAND_keep_random_devices_open - add randomness to the PRNG or get its status =head1 SYNOPSIS @@ -11,15 +11,13 @@ RAND_seed, RAND_status, RAND_event, RAND_screen #include int RAND_status(void); - - typedef void (*RAND_poll_cb)(void *arg, - const void *buf, int num, double randomness); - int RAND_poll_ex(RAND_poll_cb cb, void *arg); int RAND_poll(); void RAND_add(const void *buf, int num, double randomness); void RAND_seed(const void *buf, int num); + void RAND_keep_random_devices_open(int keep); + Deprecated: #if OPENSSL_API_COMPAT < 0x10100000L @@ -29,47 +27,51 @@ Deprecated: =head1 DESCRIPTION -Random numbers are a vital part of cryptography, including key generation, -creating salts, etc., and software-based -generators must be "seeded" with external randomness before they can be -used as a cryptographically-secure pseudo-random number generator (CSPRNG). -The availability of common hardware with special instructions and -modern operating systems, which may use items such as interrupt jitter -and network packet timings, can be reasonable sources of seeding material. - -RAND_status() indicates whether or not the CSPRNG has been sufficiently -seeded. If not, functions such as RAND_bytes(3) will fail. - -RAND_poll_ex() uses the system's capabilities to obtain a buffer -containing random bits which can then be used to seed a CSPRNG. The -exact features used depends on how OpenSSL was configured, and a summary -can be displayed with the OpenSSL L command. This function -is normally called as needed by the CSPRNG. The B parameter is an -arbitrary pointer which will be passed as an argument to the callback. -The B function is called each time there is data to add. - -RAND_poll() invokes RAND_poll_ex() with B and B set so that it -will call RAND_add(), to add the randomness to the global CSPRNG. - -RAND_add() mixes the B bytes at B into the PRNG state. +These functions can be used to seed the random generator and to check its +seeded state. +In general, manual (re-)seeding of the default OpenSSL random generator +(L) is not necessary (but allowed), since it does (re-)seed +itself automatically using trusted system entropy sources. +This holds unless the default RAND_METHOD has been replaced or OpenSSL was +built with automatic reseeding disabled, see L for more details. + +RAND_status() indicates whether or not the random generator has been sufficiently +seeded. If not, functions such as L will fail. + +RAND_poll() uses the system's capabilities to seed the random generator using +random input obtained from polling various trusted entropy sources. +The default choice of the entropy source can be modified at build time, +see L for more details. + +RAND_add() mixes the B bytes at B into the internal state +of the random generator. +This function will not normally be needed, as mentioned above. The B argument is an estimate of how much randomness is contained in B, in bytes, and should be a number between zero and B. Details about sources of randomness and how to estimate their randomness -can be found in the literature; for example NIST SP 800-90B. -The content of B cannot be recovered from subsequent CSPRNG output. -This function will not normally be needed, as RAND_poll() should have been -configured to do the appropriate seeding for the local platform. -Applications that need to keep random state in an external file should -use L. +can be found in the literature; for example [NIST SP 800-90B]. +The content of B cannot be recovered from subsequent random generator output. +Applications that intend to save and restore random state in an external file +should consider using L instead. RAND_seed() is equivalent to RAND_add() with B set to B. -RAND_event() and RAND_screen() are equivalent to RAND_poll(). +RAND_keep_random_devices_open() is used to control file descriptor +usage by the random seed sources. Some seed sources maintain open file +descriptors by default, which allows such sources to operate in a +chroot(2) jail without the associated device nodes being available. When +the B argument is zero, this call disables the retention of file +descriptors. Conversely, a non-zero argument enables the retention of +file descriptors. This function is usually called during initialization +and it takes effect immediately. + +RAND_event() and RAND_screen() are equivalent to RAND_poll() and exist +for compatibility reasons only. See HISTORY section below. =head1 RETURN VALUES -RAND_status() returns 1 if the CSPRNG has been seeded +RAND_status() returns 1 if the random generator has been seeded with enough data, 0 otherwise. RAND_poll() returns 1 if it generated seed data, 0 otherwise. @@ -85,12 +87,14 @@ not be used. =head1 SEE ALSO -L, L, -L +L, +L, +L, +L =head1 COPYRIGHT -Copyright 2000-2017 The OpenSSL Project Authors. All Rights Reserved. +Copyright 2000-2018 The OpenSSL Project Authors. All Rights Reserved. Licensed under the OpenSSL license (the "License"). You may not use this file except in compliance with the License. You can obtain a copy