OpenSSL 3.0.0 custom entropy source

Jakob Bohm jb-openssl at
Sat Sep 25 13:46:46 UTC 2021

So is there no longer an API to feed entropy to the default or FIPS 
default RNG?

Creating an entire provider just to feed input to the FIPS provider 
seems overkill.

On 2021-09-14 01:00, Dr Paul Dale wrote:
> Try working from providers/implementations/rands/seed_src.c  You'll 
> need to reimplement seed_src_generate() to use your RNG.
> To use your custom seed source, you can either use the OpenSSL 
> configuration file to set a "random" section that includes a "seed" 
> setting or you can call RAND_set_seed_source_type() early in your 
> startup sequence.
> Pauli
> On 14/9/21 8:19 am, Kory Hamzeh wrote:
>> Hi,
>> We are upgrading from OpenSSL 1.0.1g+OpenSSL-FIPS-2.0.5 to 3.0.0. 
>> Yes, I know, big jump. We have our own entropy source we use to seed 
>> the OpenSSL DRBG. This is a basic code snippet of how we set it up:
>>          DRBG_CTX *dctx = FIPS_get_default_drbg();
>>          FIPS_drbg_init(dctx, NID_aes_256_ctr, DRBG_FLAG_CTR_USE_DF);
>>          FIPS_drbg_set_callbacks(dctx,
>> rand_get_entropy,
>> rand_free_entropy,
>>                                                    0,
>> rand_get_entropy,
>> rand_free_entropy);
>> Error checking has been removed in the example for the sake of brevity.
>> I am trying to figure out  how to implement this with OpenSSL 3. From 
>> what I have read in the docs, I need to create a rand provider. But I 
>> still feel like I don’t understand how it all fit together. I did 
>> look at fuzz_rand.c and fake_rand.c, and if I understood everything 
>> correctly, neither of them use an external entropy/seed source.
>> Are there better examples of what I am looking for?
>> Thanks,
>> Kory

Jakob Bohm, CIO, Partner, WiseMo A/S.
Transformervej 29, 2860 Søborg, Denmark.  Direct +45 31 13 16 10
This public discussion message is non-binding and may contain errors.
WiseMo - Remote Service Management for PCs, Phones and Embedded

More information about the openssl-users mailing list