[Opendnssec-develop] libhsm: hsm_random() and friends

Jelte Jansen jelte at NLnetLabs.nl
Wed May 20 10:07:38 UTC 2009


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

John Dickinson wrote:
> 
> On 20 May 2009, at 10:42, Jakob Schlyter wrote:
> 
>> hi,
>>
>> can someone remind me and why we want a hsm_random() function in
>> libhsm? if not, we should remove it for now. for the jitter needed by
>> the signer, it seems a bit overkill to use the HSM for that.
> 
> 
> for the salt? Also the HSM is likely to be the best source of randomness
> in the system.
> 

turns out that implementing it was easier than discussing it, but i've done it
naively; if no tokens with rngs are attached, it will return an error (or the
not-so-random value 0).

talking about seeding; are hsm's with rngs guaranteed to be seeded? there is a
function S_SeedRandom but according to the docs this is only to add additional
seeding data. So i'm assuming that the hsm seeds itself (and that
C_GenerateRandom is a pseudo btw)
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.9 (GNU/Linux)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org

iEYEARECAAYFAkoT1moACgkQ4nZCKsdOncXc3gCdGWR/ebT51Y4v52vgHyTqIQNc
gYAAn00w4ymGuoUTCuOYUwc18HMor3eR
=4xST
-----END PGP SIGNATURE-----



More information about the Opendnssec-develop mailing list