Entropy Source for Openssl 3.8

Dr Paul Dale pauli at openssl.org
Wed Aug 30 23:12:53 UTC 2023 

Yes FIPS places a lot of restrictions on the entropy source.  The SP 
800-90{A,B,C} documents specify what is required.

I'm not sure how it is even possible to validate the x86 RDRAND entropy 
source.  The unmodified raw entropy has to be tested and this is not 
accessible that I'm aware of.  Still, I'm sure the labs have figured out 
some clever wording which lets them get approval.

As for the OpenSSL FIPS provider, we simply don't include any entropy 
source and abrogate collection to libcrypto (outside of the FIPS 
boundary).  This is why we have the caveat: /When operated in FIPS mode. 
No assurance of the minimum strength of generated keys/ on our certificate.

If this worked as it was meant to, you would be able to use a FIPS 
validated entropy source to feed the FIPS provider.  As I understand, 
this is permitted under FIPS if the data are transferred via a /secure 
channel/ between the two FIPS boundaries.


Pauli

On 31/8/23 09:02, rsbecker at nexbridge.com wrote:
>
> Pauli,
>
> Isn’t there a restriction on the entropy source used for FIPS? On x86, 
> the hardware randomizer is acceptable to FIPS, for example, but on 
> ia64, using an arbitrary entropy source that does not quite pass FIPS 
> randomness requirements is not. I went through this trying to build a 
> hardware source outside of the ia64 chip during my port, but it was 
> not random enough. I worry that Manish’s requirement might end up in 
> the same class as my ia64 randomness provider and not pass muster.
>
> On the other hand, there are hardware HKSM devices that are far better 
> than the Intel x86 hardware randomizer that should be supported via 
> providers (and FIPS but I am not aware of how to do that).
>
> Sincerely,
>
> Randall
>
> *From:*openssl-users <openssl-users-bounces at openssl.org> *On Behalf Of 
> *Dr Paul Dale
> *Sent:* Wednesday, August 30, 2023 6:51 PM
> *To:* Manish Patidar <mann.patidar at gmail.com>
> *Cc:* openssl-users at openssl.org
> *Subject:* Re: Entropy Source for Openssl 3.8
>
> Manish,
>
> The code there is somewhat confused by the way the FIPS provider 
> gathers it's entropy.
> It doesn't access the seed source directly, instead it has call-backs 
> into libcrypto to request entropy.
> The critical function is ossl_rand_get_entropy in 
> crypto/rand/prov_seed.c.  This function satisfies the FIPS provider's 
> request for entropy and it doesn't access the seed source specified, 
> instead it goes directly to OpenSSL's internal entropy gathering.
>
> So, no there isn't a way to do what you want.
>
> It wasn't intended to operate this way and I'll look at producing a fix.
>
> Pauli
>
> On 31/8/23 03:59, Manish Patidar wrote:
>
>     Hi Paul,
>
>     I have created provider for entropy and  set the seed source
>     using RAND_set_seed_source_type(). This is working fine non-fips
>     mode but its not working in fips mode.
>
>     Look like, entropy provider can't be used in fips mode.
>
>     RAND_bytes_ex - > RAND_get0_public - > RAND_get0_primary :
>
>     Code which get entropy from provider is under #ifndef FIPS_MODULE
>
>     #ifndef FIPS_MODULE
>
>      If (dgbl->seed == NULL) {
>
>            dgbl->seed = rand_new_seed(ctx)
>
>     }
>
>     #endif
>
>     dbgl->primary = rand_new_drbg(ctx, dbgl->seed)
>
>     In non-fips mode, dbgl->seed is not null (act as parent) but in
>     fips mode it is NULL and parent is null.
>
>     Is this correct?
>
>     Is there any way to set custom entropy source in fips mode?
>
>     Regards
>
>     Manish
>
>     On Wed, 12 Jul 2023, 5:10 am Dr Paul Dale, <pauli at openssl.org> wrote:
>
>         Manish et al,
>
>         If you create a provider that supplies an equivalent to
>         EVP_RAND_seed that accesses your hardware entropy source, you
>         can use this for both the FIPS and non-FIPS case.  Call
>         RAND_set_seed_source_type() early on to use your seed source
>         instead of the built in ones. Alternatively, this can be done
>         via configuration (search for "seed" in the config(5) man page
>         for details).
>
>
>         Paul Dale
>
>         On 11/7/23 01:34, Manish Patidar wrote:
>
>             Thanks Pauli for your response.
>             Still I am not clear how to feed the h/w entropy  to openssl.
>
>             For Non-fips mode ,  as per your suggestion, we have two
>             option:
>
>             1. RAND_set_rand_method/RAND_set_rand_engine
>
>                 Need implement method using EVP_RAND (EVP_RAND_fetch ,
>             EVP_RAND_CTX_new, EVP_RAND_instantiate,  EVP_RAND_seed,
>             EVP_RAND_generate)
>
>                 and set the method(RAND_set_rand_method)  to openssl
>
>                 How to feed h/w entropy, using  EVP_RAND_seed ?
>
>             2. Write a new provider, if we can't use the above method
>                 We can refer to test/testutil/fake_random.c ?
>                 Internally, can we use EVP_RAND (AES_CTR DRBG)  in
>             provider implementation ?
>
>             For Fips mode:
>
>                 We need to use AES_CTR drbg,  how to provide hardware
>             entropy to FIPS providers.
>                 How to replace "seed" source, can you please provide
>             more details. ?
>
>
>             Is it possible to have a common solution for both FIPS and
>             non-FIPS mode ?
>
>             Regards
>
>             Manish
>
>             On Mon, Jun 26, 2023 at 3:18 AM Dr Paul Dale
>             <pauli at openssl.org> wrote:
>
>                 Both RAND_set_rand_method and RAND_set_rand_engine
>                 exist in 3.0.8. They
>                 are deprecated but I doubt they'll be removed for a
>                 long time -- per our
>                 policies, they won't be before OpenSSL 4.0 is released.
>
>                 If you really want to avoid these two, you will have
>                 to write a provider
>                 that implements access to the entropy source.  You can
>                 then use this
>                 provider instead of OpenSSL's default sources.  I
>                 suggest looking at the
>                 "test" and "seed" randoms.
>
>                 For FIPS usage, it would be easiest to replace the
>                 "seed" source and
>                 this is outside the FIPS boundary.  If you RNG is FIPS
>                 validated, it
>                 should be possible to use it directly, although the
>                 path is more complex.
>
>
>                 Pauli
>
>                 On 25/6/23 07:34, Manish Patidar wrote:
>                 > Hi
>                 > I am using Openssl 3.8 on rtos,  we have harware
>                 random entropy source
>                 > for RNG.   In our env, Openssl used entropy source
>                 is not available.
>                 >
>                 > Look like  entropy callback which used to available
>                 in earlier
>                 > versions, is no more supported.  I am wondering how
>                 to plungin
>                 > hardware entropy to Openssl.
>                 >
>                 > We are going to use h/w entropy in fips mode also,
>                 so we need solution
>                 > which works for both mode.
>                 >
>                 > It will be really helpful if someone guide how to
>                 use h/w entropy
>                 > source in openssl 3.8
>                 >
>                 > Regards
>                 > Manish
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://mta.openssl.org/pipermail/openssl-users/attachments/20230831/ab03b750/attachment.htm>

More information about the openssl-users mailing list