OpenSSL will try to use random sources available for the OS, so supplying your own additional randomization is usually not required. You can call RAND_status() to determine if the library was successful getting enough random data that it decides it can start providing random numbers. It will return a 1 if it was, or a 0 if more random data is needed.
That being said, the randomization algorithm used by OpenSSL is designed so that the randomness of the numbers returned will not be reduced by submitting additional random or pseudo-random data using the RAND_add() call. I always make it a habit to write my code so it saves a file of random data when OpenSSL is closed, and loads that same random data file the next time it is opened. (See the functions RAND_write_file() and RAND_load_file().) That way I know that OpenSSL will start in a well-randomized state, and any additional randomization initialization done by the library can only make things better. If you have access to other information that is pseudo-random, such as network packets, it might not be a bad idea to call RAND_add() on that data as well. RAND_screen() is specific to Windows, and uses a snapshot of the desktop to use as random data. It won't hurt to call this if you can, but is not particularly effective. There are also some situations, such as calling OpenSSL from a Windows service, where the desktop is static or not available. That is why OpenSSL no longer relies on it. Brant -----Original Message----- Sent: Wednesday, August 22, 2012 10:07 AM To: openssl-users@openssl.org Subject: Entropy for OpenSSL I'm looking at https://groups.google.com/forum/?fromgroups#!topic/mailing.openssl.users/j8O bkLf6xgs Do I interpret it correctly as saying that assuming I do not have some clever source of entropy of my own, that I should just "do nothing" and let OpenSSL do what it decides is best? In other words, that I should NOT call app_RAND_load_file() (as the current source for s_client does) nor RAND_screen() (as O'Reilly sort-of advises)? Thanks, Charles ______________________________________________________________________ OpenSSL Project http://www.openssl.org User Support Mailing List openssl-users@openssl.org Automated List Manager majord...@openssl.org ______________________________________________________________________ OpenSSL Project http://www.openssl.org User Support Mailing List openssl-users@openssl.org Automated List Manager majord...@openssl.org
