> I realize that reseed() not only mixes my “additional input” but also > replaces the entire state. NIST does > not specify interface to “just” mix the “additional input” into the state > without replacing the whole state > with some fresh entropy by calling Get_entropy_input(). Maybe we can provide > such a function call (that’s > what I think RAND_add() is supposed to do), but I’m not certain here…
The reseed() operation pulls fresh entropy, but the old state is not discarded. Instead, the fresh entropy is mixed in, just like the additional input (and the reseed_counter is reset). Have a look at ctr_update() and ctr_df() and you will see that the 'entropy' and the 'adin' input are treated the same way to change the internal state. The derivation function treats 'entropy' and 'adin' equally, it's just a difference in interpretation (trusted vs. untrusted randomness). The NIST document has also a lot of nice graphics to explain the inner workings. This helped me a lot to understand the details. Matthias
smime.p7s
Description: S/MIME cryptographic signature
-- openssl-dev mailing list To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-dev
