OpenSSL-3.+ how to configure [random]?
Dr Paul Dale
pauli at openssl.org
Wed Nov 10 02:49:09 UTC 2021
Currently there is exactly one seed source that is usable in OpenSSL
3.0: "SEED-SRC". It is documented in EVP_RAND-SEED-SRC. The reason the
seed source can be set is to allow you to use a third party provider
than includes one.
If you want to force RDRAND as the only seeding source, this needs to be
done at configuration time with the --with-rand-seed configuration
option. Note that this will enable RDSEED in preference to RDRAND but
will use RDRAND if RDSEED isn't available.
I assume that you meant openssl info -seeds not openssl list -seeds.
This lists the seed sources that were configured at build time.
There is no relationship between the RDRAND engine and the seed
sources. Well, they both use the same machine instruction to get the
seed material but it's called from completely different places.
Yes, the man pages could be more informative and user friendly :(
On 10/11/21 12:35 pm, Blumenthal, Uri - 0553 - MITLL wrote:
> "man config" for OpenSSL-3.0 and newer says that there can be "[random]" section in "openssl.cnf", where I can specify type of RNG, other things, and *seed*, and seed *properties*.
> Unfortunately, it did not bother to even list the possible/allowed values, let alone explain what they'd mean:
> Random Configuration
> The name random in the initialization section names the section containing the random number
> generater settings.
> Within the random section, the following names have meaning:
> This is used to specify the random bit generator. For example:
> random = CTR-DRBG
> The available random bit generators are:
> . . . . .
> This sets the property query used when fetching the random bit generator and any
> underlying algorithms.
> This sets the randomness source that should be used. By default SEED-SRC will be used
> outside of the FIPS provider. The FIPS provider uses call backs to access the same
> randomness sources from outside the validated boundary.
> This sets the property query used when fetching the randomness source.
> I want to configure this [random] to use CTR-DRBG, using RDRAND as "seed". Based on "openssl list -seeds", I guess "seed = rdrand" should be OK. What properties can I set, if any? How does this "[random]" relate to the RDRAND *engine* (see below)?
> $ openssl3 engine rdrand -t
> (rdrand) Intel RDRAND engine
> [ available ]
> Uri Blumenthal Voice: (781) 981-1638
> Secure Resilient Systems and Technologies Cell: (339) 223-5363
> MIT Lincoln Laboratory
> 244 Wood Street, Lexington, MA 02420-9108
> Web: https://www.ll.mit.edu/biographies/uri-blumenthal
> Root CA: https://www.ll.mit.edu/llrca2.pem
> There are two ways to design a system. One is to make is so simple there are obviously no deficiencies.
> The other is to make it so complex there are no obvious deficiencies.
> - C. A. R. Hoare
More information about the openssl-users