<div dir="ltr">Thanks Michael,<div><br></div><div>I am using <b>ssleay_rand_add</b> function which was present in earlier version of openssl</div><div><a href="https://code.woboq.org/crypto/openssl/crypto/rand/md_rand.c.html#ssleay_rand_add" target="_blank">https://code.woboq.org/crypto/openssl/crypto/rand/md_rand.c.html#ssleay_rand_add</a><br></div><div><br></div><div>I don't find this file or function in latest version of openssl.</div><div>As I understood recommended way is to use engine method but on embedded system we compile everything in a single elf binary.</div><div>No concept of dynamic shared object or engine , so i defined OPENSSL_NO_ENGINE to compile engine thing out.</div><div><br></div><div>Is there any default random number like md_rand.c in this version of openssl.</div><div>For entropy we will be providing SHA1/SHA2 of a mix of CPU clock and various other thing(serial #, mac, ) to seed.</div><div><br></div><div>-Thanks,</div></div><br><div class="gmail_quote"><div dir="ltr" class="gmail_attr">On Wed, Apr 17, 2019 at 1:23 AM Michael Wojcik <<a href="mailto:Michael.Wojcik@microfocus.com">Michael.Wojcik@microfocus.com</a>> wrote:<br></div><blockquote class="gmail_quote" style="margin:0px 0px 0px 0.8ex;border-left:1px solid rgb(204,204,204);padding-left:1ex">> From: openssl-users [mailto:<a href="mailto:openssl-users-bounces@openssl.org" target="_blank">openssl-users-bounces@openssl.org</a>] On Behalf Of Chitrang Srivastava<br>
> Sent: Tuesday, April 16, 2019 08:24<br>
<br>
> I need suggestion regarding random number interface , earlier we were using RAND_METHOD.<br>
<br>
That's a mechanism for telling OpenSSL what mechanism to use for its cryptographically-strong pseudorandom number generator (CPRNG).<br>
<br>
> Can I still use the same mechanism? Because I see new code rand folder contains OS specific<br>
> implementation of<br>
><br>
> rand_pool_acquire_entropy<br>
> rand_pool_add_nonce_data<br>
> rand_pool_add_additional_data<br>
<br>
That's part of OpenSSL's mechanism for getting entropy for the CPRNG. The CPRNG needs this, but they are not the same thing.<br>
<br>
> As I understand , above function also needs to be ported?<br>
<br>
I believe you'll need some implementation of them, but I haven't poked around this corner of the OpenSSL 1.1 sources.<br>
<br>
> Any document to start with porting random number to any platform.<br>
<br>
The CPRNG seeding mechanism is cryptographically sensitive, and should not be implemented by a non-expert. What does your existing implementation do to provide entropy for the OpenSSL CPRNG? If the answer is "nothing" (or something that's not adequately opaque to an attacker), then your product has seriously flawed security. An attacker who can guess the entropy for the CPRNG pool can break your encryption.<br>
<br>
It will also be platform-specific (though some mechanisms will exist on multiple platforms), so there can't be much guidance on doing it for "any platform".<br>
<br>
The literature on seeding CPRNGs is fairly extensive. It's often a challenge for embedded applications, particularly SOC-based ones which may not have much in the way of internal noise sources such as clock skew. Some CPUs have entropy sources, such as Intel's RDRAND; if you trust them (and in an embedded application you may not have much choice) you can use that.<br>
<br>
--<br>
Michael Wojcik<br>
Distinguished Engineer, Micro Focus<br>
<br>
</blockquote></div>