diff options
Diffstat (limited to 'secure/lib/libcrypto/man/man7/EVP_RAND.7')
| -rw-r--r-- | secure/lib/libcrypto/man/man7/EVP_RAND.7 | 39 |
1 files changed, 21 insertions, 18 deletions
diff --git a/secure/lib/libcrypto/man/man7/EVP_RAND.7 b/secure/lib/libcrypto/man/man7/EVP_RAND.7 index 8d7ad73ee30c..d12f823753b1 100644 --- a/secure/lib/libcrypto/man/man7/EVP_RAND.7 +++ b/secure/lib/libcrypto/man/man7/EVP_RAND.7 @@ -1,5 +1,5 @@ .\" -*- mode: troff; coding: utf-8 -*- -.\" Automatically generated by Pod::Man 5.0102 (Pod::Simple 3.45) +.\" Automatically generated by Pod::Man v6.0.2 (Pod::Simple 3.45) .\" .\" Standard preamble: .\" ======================================================================== @@ -52,10 +52,13 @@ . \} .\} .rr rF +.\" +.\" Required to disable full justification in groff 1.23.0. +.if n .ds AD l .\" ======================================================================== .\" .IX Title "EVP_RAND 7ossl" -.TH EVP_RAND 7ossl 2025-09-30 3.5.4 OpenSSL +.TH EVP_RAND 7ossl 2026-04-07 3.5.6 OpenSSL .\" For nroff, turn off justification. Always turn off hyphenation; it makes .\" way too many mistakes in technical documents. .if n .ad l @@ -71,14 +74,14 @@ EVP_RAND \- the random bit generator .SH DESCRIPTION .IX Header "DESCRIPTION" The default OpenSSL RAND method is based on the EVP_RAND classes to provide -non-deterministic inputs to other cryptographic algorithms. +non\-deterministic inputs to other cryptographic algorithms. .PP -While the RAND API is the 'frontend' which is intended to be used by +While the RAND API is the \*(Aqfrontend\*(Aq which is intended to be used by application developers for obtaining random bytes, the EVP_RAND API -serves as the 'backend', connecting the former with the operating -systems's entropy sources and providing access to deterministic random +serves as the \*(Aqbackend\*(Aq, connecting the former with the operating +systems\*(Aqs entropy sources and providing access to deterministic random bit generators (DRBG) and their configuration parameters. -A DRBG is a certain type of cryptographically-secure pseudo-random +A DRBG is a certain type of cryptographically\-secure pseudo\-random number generator (CSPRNG), which is described in [NIST SP 800\-90A Rev. 1]. .SS Disclaimer @@ -94,7 +97,7 @@ Typical examples for such special use cases are the following: You want to use your own private DRBG instances. Multiple DRBG instances which are accessed only by a single thread provide additional security (because their internal states are independent) and -better scalability in multithreaded applications (because they don't need +better scalability in multithreaded applications (because they don\*(Aqt need to be locked). .IP \(bu 2 You need to integrate a previously unsupported entropy source. @@ -121,10 +124,10 @@ a live entropy source may ignore and not use its parent. Currently, there are three shared DRBG instances, the <primary>, <public>, and <private> DRBG. While the <primary> DRBG is a single global instance, the <public> and <private> -DRBG are created per thread and accessed through thread-local storage. +DRBG are created per thread and accessed through thread\-local storage. .PP By default, the functions \fBRAND_bytes\fR\|(3) and \fBRAND_priv_bytes\fR\|(3) use -the thread-local <public> and <private> DRBG instance, respectively. +the thread\-local <public> and <private> DRBG instance, respectively. .SS "The <primary> DRBG instance" .IX Subsection "The <primary> DRBG instance" The <primary> DRBG is not used directly by the application, only for reseeding @@ -141,24 +144,24 @@ This instance is used per default by \fBRAND_priv_bytes\fR\|(3) .IX Header "LOCKING" The <primary> DRBG is intended to be accessed concurrently for reseeding by its child DRBG instances. The necessary locking is done internally. -It is \fInot\fR thread-safe to access the <primary> DRBG directly via the +It is \fInot\fR thread\-safe to access the <primary> DRBG directly via the EVP_RAND interface. -The <public> and <private> DRBG are thread-local, i.e. there is an +The <public> and <private> DRBG are thread\-local, i.e. there is an instance of each per thread. So they can safely be accessed without locking via the EVP_RAND interface. .PP Pointers to these DRBG instances can be obtained using \&\fBRAND_get0_primary()\fR, \fBRAND_get0_public()\fR and \fBRAND_get0_private()\fR, respectively. -Note that it is not allowed to store a pointer to one of the thread-local +Note that it is not allowed to store a pointer to one of the thread\-local DRBG instances in a variable or other memory location where it will be accessed and used by multiple threads. .PP -All other DRBG instances created by an application don't support locking, +All other DRBG instances created by an application don\*(Aqt support locking, because they are intended to be used by a single thread. Instead of accessing a single DRBG instance concurrently from different threads, it is recommended to instantiate a separate DRBG instance per thread. Using the <primary> DRBG as entropy source for multiple DRBG -instances on different threads is thread-safe, because the DRBG instance +instances on different threads is thread\-safe, because the DRBG instance will lock the <primary> DRBG automatically for obtaining random input. .SH "THE OVERALL PICTURE" .IX Header "THE OVERALL PICTURE" @@ -249,7 +252,7 @@ previous OpenSSL versions to call \fBRAND_add()\fR before calling \fBRAND_bytes( .SS "Entropy Input and Additional Data" .IX Subsection "Entropy Input and Additional Data" The DRBG distinguishes two different types of random input: \fIentropy\fR, -which comes from a trusted source, and \fIadditional input\fR', +which comes from a trusted source, and \fIadditional input\fR\*(Aq, which can optionally be added by the user and is considered untrusted. It is possible to add \fIadditional input\fR not only during reseeding, but also for every generate request. @@ -259,11 +262,11 @@ In most cases OpenSSL will automatically choose a suitable seed source for automatically seeding and reseeding its <primary> DRBG. The default seed source can be configured when OpenSSL is compiled by setting \fB\-DOPENSSL_DEFAULT_SEED_SRC=SEED\-SRC\fR. If not set then -"SEED-SRC" is used. One can specify a third-party provider seed-source, +"SEED\-SRC" is used. One can specify a third\-party provider seed\-source, or \fB\-DOPENSSL_DEFAULT_SEED_SRC=JITTER\fR if available. .PP In some cases however, it will be necessary to explicitly specify a -seed source used by "SEED-SRC" during configuration, using the +seed source used by "SEED\-SRC" during configuration, using the \&\-\-with\-rand\-seed option. For more information, see the INSTALL instructions. There are also operating systems where no seed source is available and automatic reseeding is disabled by default. |