Thanks Michael, I am using *ssleay_rand_add* function which was present in earlier version of openssl https://code.woboq.org/crypto/openssl/crypto/rand/md_rand.c.html#ssleay_rand_add
I don't find this file or function in latest version of openssl. As I understood recommended way is to use engine method but on embedded system we compile everything in a single elf binary. No concept of dynamic shared object or engine , so i defined OPENSSL_NO_ENGINE to compile engine thing out. Is there any default random number like md_rand.c in this version of openssl. For entropy we will be providing SHA1/SHA2 of a mix of CPU clock and various other thing(serial #, mac, ) to seed. -Thanks, On Wed, Apr 17, 2019 at 1:23 AM Michael Wojcik < michael.woj...@microfocus.com> wrote: > > From: openssl-users [mailto:openssl-users-boun...@openssl.org] On > Behalf Of Chitrang Srivastava > > Sent: Tuesday, April 16, 2019 08:24 > > > I need suggestion regarding random number interface , earlier we were > using RAND_METHOD. > > That's a mechanism for telling OpenSSL what mechanism to use for its > cryptographically-strong pseudorandom number generator (CPRNG). > > > Can I still use the same mechanism? Because I see new code rand folder > contains OS specific > > implementation of > > > > rand_pool_acquire_entropy > > rand_pool_add_nonce_data > > rand_pool_add_additional_data > > That's part of OpenSSL's mechanism for getting entropy for the CPRNG. The > CPRNG needs this, but they are not the same thing. > > > As I understand , above function also needs to be ported? > > I believe you'll need some implementation of them, but I haven't poked > around this corner of the OpenSSL 1.1 sources. > > > Any document to start with porting random number to any platform. > > The CPRNG seeding mechanism is cryptographically sensitive, and should not > be implemented by a non-expert. What does your existing implementation do > to provide entropy for the OpenSSL CPRNG? If the answer is "nothing" (or > something that's not adequately opaque to an attacker), then your product > has seriously flawed security. An attacker who can guess the entropy for > the CPRNG pool can break your encryption. > > It will also be platform-specific (though some mechanisms will exist on > multiple platforms), so there can't be much guidance on doing it for "any > platform". > > The literature on seeding CPRNGs is fairly extensive. It's often a > challenge for embedded applications, particularly SOC-based ones which may > not have much in the way of internal noise sources such as clock skew. Some > CPUs have entropy sources, such as Intel's RDRAND; if you trust them (and > in an embedded application you may not have much choice) you can use that. > > -- > Michael Wojcik > Distinguished Engineer, Micro Focus > >