RAND, FIPS and providers
Matthias St. Pierre
Matthias.St.Pierre at ncp-e.com
Tue Sep 24 08:58:17 UTC 2019
>> As for what to fetch: the DRBG instances and the seed material source would be ideal, although we don’t need the seed source for FIPS (so long as the DRBGs seed from inside their own provider).
> I had always assumed we would fetch DRBG instances.
It would also make sense to make the entropy sources themselves fetchable and configurable. This would enable us to
- separate FIPS and non-FIPS entropy sources (using the 'fips' attribute)
- make the entropy search policy configurable via config file (search order, blocking vs. non-blocking, ...)
and it would also enable third party providers to plug in their (FIPS certified) hardware modules as entropy sources.
In this context it might help to revisit Pauli's long standing and still unresolved issue #4394:
- Multiple entropy source handling - https://github.com/openssl/openssl/issues/4394
More information about the openssl-project