OpenSSL-3.+ how to configure [random]?

Blumenthal, Uri - 0553 - MITLL uri at ll.mit.edu
Wed Nov 10 02:35:39 UTC 2021 

"man config" for OpenSSL-3.0 and newer says that there can be "[random]" section in "openssl.cnf", where I can specify type of RNG, other things, and *seed*, and seed *properties*.

Unfortunately, it did not bother to even list the possible/allowed values, let alone explain what they'd mean:

   Random Configuration
       The name random in the initialization section names the section containing the random number
       generater settings.

       Within the random section, the following names have meaning:

       random
           This is used to specify the random bit generator.  For example:

            [random]
            random = CTR-DRBG

           The available random bit generators are:

           CTR-DRBG
           HASH-DRBG
           HMAC-DRBG
.  .  .  .  .
       properties
           This sets the property query used when fetching the random bit generator and any
           underlying algorithms.

       seed
           This sets the randomness source that should be used.  By default SEED-SRC will be used
           outside of the FIPS provider.  The FIPS provider uses call backs to access the same
           randomness sources from outside the validated boundary.

       seed_properties
           This sets the property query used when fetching the randomness source.

I want to configure this [random] to use CTR-DRBG, using RDRAND as "seed". Based on "openssl list -seeds", I guess "seed = rdrand" should be OK. What properties can I set, if any? How does this "[random]" relate to the RDRAND *engine* (see below)?

$ openssl3 engine rdrand -t
(rdrand) Intel RDRAND engine
     [ available ]


Thanks!
--
Regards,
Uri Blumenthal                              Voice: (781) 981-1638 
Secure Resilient Systems and Technologies   Cell:  (339) 223-5363
MIT Lincoln Laboratory                      
244 Wood Street, Lexington, MA  02420-9108      
 
Web:     https://www.ll.mit.edu/biographies/uri-blumenthal
Root CA: https://www.ll.mit.edu/llrca2.pem
 
There are two ways to design a system. One is to make is so simple there are obviously no deficiencies.
The other is to make it so complex there are no obvious deficiencies.
                                                                                                                                     -  C. A. R. Hoare
 
-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/pkcs7-signature
Size: 5249 bytes
Desc: not available
URL: <https://mta.openssl.org/pipermail/openssl-users/attachments/20211110/9212b1f6/attachment.bin>

More information about the openssl-users mailing list