OpenSSL 3.0.0 custom entropy source
Kory Hamzeh
kory at avatarci.com
Mon Sep 13 22:19:13 UTC 2021
Hi,
We are upgrading from OpenSSL 1.0.1g+OpenSSL-FIPS-2.0.5 to 3.0.0. Yes, I know, big jump. We have our own entropy source we use to seed the OpenSSL DRBG. This is a basic code snippet of how we set it up:
DRBG_CTX *dctx = FIPS_get_default_drbg();
FIPS_drbg_init(dctx, NID_aes_256_ctr, DRBG_FLAG_CTR_USE_DF);
FIPS_drbg_set_callbacks(dctx,
rand_get_entropy,
rand_free_entropy,
0,
rand_get_entropy,
rand_free_entropy);
Error checking has been removed in the example for the sake of brevity.
I am trying to figure out how to implement this with OpenSSL 3. From what I have read in the docs, I need to create a rand provider. But I still feel like I don’t understand how it all fit together. I did look at fuzz_rand.c and fake_rand.c, and if I understood everything correctly, neither of them use an external entropy/seed source.
Are there better examples of what I am looking for?
Thanks,
Kory
More information about the openssl-users
mailing list