Hello,

I was trying to replace our own implementation of CTR_DRBG in GnuTLS[1] with the one provided by Nettle. It is, however, blocked as it is currently not possible to reseed an already initialized instance without re-initializing it, which is needed for FIPS 140-3 compliance.

I would suggest either:

- making drbg_ctr_aes256_output internally do reseeding based on the interval defined in SP800 90A - exposing drbg_ctr_aes256_update as a public function, so applications (e.g., GnuTLS) can implement the reseeding logic

I've filed an MR for the latter[2]. Could you take a look?

Footnotes: [1] https://gitlab.com/gnutls/gnutls/-/blob/master/lib/nettle/int/drbg-aes.c?ref...

[2] https://git.lysator.liu.se/nettle/nettle/-/merge_requests/69

Regards,