Entropy Source for Openssl 3.8

Manish Patidar mann.patidar at gmail.com
Mon Jul 10 15:34:46 UTC 2023


Thanks Pauli for your response.
Still I am not clear how to feed the h/w entropy  to openssl.

For Non-fips mode ,  as per your suggestion, we have two option:

1. RAND_set_rand_method/RAND_set_rand_engine
    Need implement method using EVP_RAND (EVP_RAND_fetch ,
EVP_RAND_CTX_new, EVP_RAND_instantiate,  EVP_RAND_seed, EVP_RAND_generate)
    and set the method(RAND_set_rand_method)  to openssl
    How to feed h/w entropy, using  EVP_RAND_seed ?

2. Write a new provider, if we can't use the above method
    We can refer to test/testutil/fake_random.c ?
    Internally, can we use EVP_RAND (AES_CTR DRBG)  in provider
implementation ?

For Fips mode:
    We need to use AES_CTR drbg,  how to provide hardware entropy to FIPS
providers.
    How to replace "seed" source, can you please provide more details. ?

Is it possible to have a common solution for both FIPS and non-FIPS mode ?

Regards
Manish

On Mon, Jun 26, 2023 at 3:18 AM Dr Paul Dale <pauli at openssl.org> wrote:

> Both RAND_set_rand_method and RAND_set_rand_engine exist in 3.0.8. They
> are deprecated but I doubt they'll be removed for a long time -- per our
> policies, they won't be before OpenSSL 4.0 is released.
>
> If you really want to avoid these two, you will have to write a provider
> that implements access to the entropy source.  You can then use this
> provider instead of OpenSSL's default sources.  I suggest looking at the
> "test" and "seed" randoms.
>
> For FIPS usage, it would be easiest to replace the "seed" source and
> this is outside the FIPS boundary.  If you RNG is FIPS validated, it
> should be possible to use it directly, although the path is more complex.
>
>
> Pauli
>
> On 25/6/23 07:34, Manish Patidar wrote:
> > Hi
> > I am using Openssl 3.8 on rtos,  we have harware random entropy source
> > for RNG.   In our env, Openssl used entropy source is not available.
> >
> > Look like  entropy callback which used to available in earlier
> > versions, is no more supported.  I am wondering how to plungin
> > hardware entropy to Openssl.
> >
> > We are going to use h/w entropy in fips mode also, so we need solution
> > which works for both mode.
> >
> > It will be really helpful if someone guide how to use h/w entropy
> > source in openssl 3.8
> >
> > Regards
> > Manish
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://mta.openssl.org/pipermail/openssl-users/attachments/20230710/0cccd301/attachment.htm>


More information about the openssl-users mailing list