RAND_add() forces a reseed to the DRBGs and uses the passed material (not as entropy but as additional input).

EVP_RAND_reseed() is a more direct interface but remember that the built in DRBGs are free to ignore what the user claims is /entropy/. History has shown us time and again that /entropy/ is often anything but.

The *best* way to do this, is to create a provider which acts as a seed source and to then use this as the parent of the primary DRBG.  See, for example, test/testutil/fakerandom.c for how to do this.  The key is to set up the seed source before the RNG subsystem is first used.

If you simply want to replace the built-in DRBGs with a real random source, create a provider and set the appropriate environment/config variables.


On 24/3/21 4:14 pm, Bala Duvvuri via openssl-users wrote:
Hi All,

In OpenSSL 1.1.1 version, we were using RAND_DRBG for random number generation.

Using "RAND_DRBG_set_callbacks", we were able to call into our custom API for 
entropy and nonce generation.

How can this be achieved with EVP_RAND implementation i.e. does it allow 
entropy to be provided?


Reply via email to