Entropy Source for Openssl 3.8

Dr Paul Dale pauli at openssl.org
Sun Jun 25 21:48:01 UTC 2023


Both RAND_set_rand_method and RAND_set_rand_engine exist in 3.0.8. They 
are deprecated but I doubt they'll be removed for a long time -- per our 
policies, they won't be before OpenSSL 4.0 is released.

If you really want to avoid these two, you will have to write a provider 
that implements access to the entropy source.  You can then use this 
provider instead of OpenSSL's default sources.  I suggest looking at the 
"test" and "seed" randoms.

For FIPS usage, it would be easiest to replace the "seed" source and 
this is outside the FIPS boundary.  If you RNG is FIPS validated, it 
should be possible to use it directly, although the path is more complex.


Pauli

On 25/6/23 07:34, Manish Patidar wrote:
> Hi
> I am using Openssl 3.8 on rtos,  we have harware random entropy source 
> for RNG.   In our env, Openssl used entropy source is not available.
>
> Look like  entropy callback which used to available in earlier 
> versions, is no more supported.  I am wondering how to plungin 
> hardware entropy to Openssl.
>
> We are going to use h/w entropy in fips mode also, so we need solution 
> which works for both mode.
>
> It will be really helpful if someone guide how to use h/w entropy 
> source in openssl 3.8
>
> Regards
> Manish



More information about the openssl-users mailing list