EVP_RAND_reseed() is a more direct interface but remember that the built in DRBGs are free to ignore what the user claims is entropy. History has shown us time and again that entropy is often anything but.
The best way to do this, is to create a provider which acts as a seed source and to then use this as the parent of the primary DRBG. See, for example, test/testutil/fakerandom.c for how to do this. The key is to set up the seed source before the RNG subsystem is first used.
If you simply want to replace the built-in DRBGs with a real random source, create a provider and set the appropriate environment/config variables.
Pauli
On 24/3/21 4:14 pm, Bala Duvvuri via
openssl-users wrote:
Hi All, In OpenSSL 1.1.1 version, we were using RAND_DRBG for random number generation. Using "RAND_DRBG_set_callbacks", we were able to call into our custom API for entropy and nonce generation. How can this be achieved with EVP_RAND implementation i.e. does it allow entropy to be provided? Thanks Bala
