OpenSSL-3.+ how to configure [random]?

[Dr Paul Dale]

Currently there is exactly one seed source that is usable in OpenSSL 
3.0: "SEED-SRC".  It is documented in EVP_RAND-SEED-SRC.  The reason the 
seed source can be set is to allow you to use a third party provider 
than includes one.

If you want to force RDRAND as the only seeding source, this needs to be 
done at configuration time with the --with-rand-seed configuration 
option.  Note that this will enable RDSEED in preference to RDRAND but 
will use RDRAND if RDSEED isn't available.

I assume that you meant openssl info -seeds not openssl list -seeds.  
This lists the seed sources that were configured at build time.


There is no relationship between the RDRAND engine and the seed 
sources.  Well, they both use the same machine instruction to get the 
seed material but it's called from completely different places.


Yes, the man pages could be more informative and user friendly :(


Pauli

On 10/11/21 12:35 pm, Blumenthal, Uri - 0553 - MITLL wrote:
> "man config" for OpenSSL-3.0 and newer says that there can be "[random]" section in "openssl.cnf", where I can specify type of RNG, other things, and *seed*, and seed *properties*.
>
> Unfortunately, it did not bother to even list the possible/allowed values, let alone explain what they'd mean:
>
>     Random Configuration
>         The name random in the initialization section names the section containing the random number
>         generater settings.
>
>         Within the random section, the following names have meaning:
>
>         random
>             This is used to specify the random bit generator.  For example:
>
>              [random]
>              random = CTR-DRBG
>
>             The available random bit generators are:
>
>             CTR-DRBG
>             HASH-DRBG
>             HMAC-DRBG
> .  .  .  .  .
>         properties
>             This sets the property query used when fetching the random bit generator and any
>             underlying algorithms.
>
>         seed
>             This sets the randomness source that should be used.  By default SEED-SRC will be used
>             outside of the FIPS provider.  The FIPS provider uses call backs to access the same
>             randomness sources from outside the validated boundary.
>
>         seed_properties
>             This sets the property query used when fetching the randomness source.
>
> I want to configure this [random] to use CTR-DRBG, using RDRAND as "seed". Based on "openssl list -seeds", I guess "seed = rdrand" should be OK. What properties can I set, if any? How does this "[random]" relate to the RDRAND *engine* (see below)?
>
> $ openssl3 engine rdrand -t
> (rdrand) Intel RDRAND engine
>       [ available ]
>
>
> Thanks!
> --
> Regards,
> Uri Blumenthal                              Voice: (781) 981-1638
> Secure Resilient Systems and Technologies   Cell:  (339) 223-5363
> MIT Lincoln Laboratory
> 244 Wood Street, Lexington, MA  02420-9108
>   
> Web:     https://www.ll.mit.edu/biographies/uri-blumenthal
> Root CA: https://www.ll.mit.edu/llrca2.pem
>   
> There are two ways to design a system. One is to make is so simple there are obviously no deficiencies.
> The other is to make it so complex there are no obvious deficiencies.
>                                                                                                                                       -  C. A. R. Hoare
>