Clarify DRBG seeding.

There is a legacy code path that OpenSSL won't use anymore but applications could. Add a comment indicating this to avoid confusion for people not intimately conversant with the nuances in the RNG code. Reviewed-by: Tomas Mraz <tomas@openssl.org> Reviewed-by: Matt Caswell <matt@openssl.org> Reviewed-by: Neil Horman <nhorman@openssl.org> (Merged from https://github.com/openssl/openssl/pull/24745) (cherry picked from commit 1eb122aa0ca152dc564e61674caf3f11acd85b57)
author: Pauli <ppzgs1@gmail.com> 2024-06-27 10:08:05 +1000
committer: Pauli <ppzgs1@gmail.com> 2024-06-29 14:13:12 +1000
commit: 5258715faf9c5f2ecd18a278d70c2b812592c5ae (patch)
tree: 3434e7b16b4445224aba7f22d9144d67eafbee04
parent: 89f27ae1f3eaec16e8617afa202d893debba3543 (diff)
1 files changed, 5 insertions, 0 deletions
diff --git a/providers/implementations/rands/drbg.c b/providers/implementations/rands/drbg.c
index 41ff2a8e33..9ab18af900 100644
--- a/providers/implementations/rands/drbg.c
+++ b/providers/implementations/rands/drbg.c
@@ -203,6 +203,11 @@ static size_t get_entropy(PROV_DRBG *drbg, unsigned char **pout, int entropy,
         return ossl_crngt_get_entropy(drbg, pout, entropy, min_len, max_len,
                                       prediction_resistance);
 #else
+        /*
+         * In normal use (i.e. OpenSSL's own uses), this is never called.
+         * Outside of the FIPS provider, OpenSSL sets its DRBGs up so that
+         * they always have a parent.  This remains purely for legacy reasons.
+         */
         return ossl_prov_get_entropy(drbg->provctx, pout, entropy, min_len,
                                      max_len);
 #endif
author	Pauli <ppzgs1@gmail.com>	2024-06-27 10:08:05 +1000
committer	Pauli <ppzgs1@gmail.com>	2024-06-29 14:13:12 +1000
commit	5258715faf9c5f2ecd18a278d70c2b812592c5ae (patch)
tree	3434e7b16b4445224aba7f22d9144d67eafbee04
parent	89f27ae1f3eaec16e8617afa202d893debba3543 (diff)