OpenSSL 3.0.0 custom entropy source

Kory Hamzeh kory at avatarci.com
Sat Sep 25 19:46:24 UTC 2021


Correct, you need to create a provider.

Look at providers/implementations/rands/seed_src.c as an example. You'll need to reimplement seed_src_generate() to use your RNG.

Your seed source will need to be wrapped in a provider and registered using a name of your choice.  See providers/defltprov.c and search for "seed”.

To use your custom seed source, you can either use the OpenSSL configuration file to set a "random" section that includes a "seed" setting or you can call RAND_set_seed_source_type() early in your startup sequence.

If you link in your provider, you will need to call OSSL_PROVIDER_add_builtin() with the name and init function before you call OSSL_PROVIDER_load() to load it. Then call OSSL_PROVIDER_load() for all of the other providers (default, base, FIPS, etc).



> On Sep 25, 2021, at 6:46 AM, Jakob Bohm via openssl-users <openssl-users at openssl.org> wrote:
> 
> So is there no longer an API to feed entropy to the default or FIPS default RNG?
> 
> Creating an entire provider just to feed input to the FIPS provider seems overkill.
> 
> On 2021-09-14 01:00, Dr Paul Dale wrote:
>> Try working from providers/implementations/rands/seed_src.c  You'll need to reimplement seed_src_generate() to use your RNG.
>> 
>> To use your custom seed source, you can either use the OpenSSL configuration file to set a "random" section that includes a "seed" setting or you can call RAND_set_seed_source_type() early in your startup sequence.
>> 
>> 
>> Pauli
>> 
>> On 14/9/21 8:19 am, Kory Hamzeh wrote:
>>> Hi,
>>> 
>>> We are upgrading from OpenSSL 1.0.1g+OpenSSL-FIPS-2.0.5 to 3.0.0. Yes, I know, big jump. We have our own entropy source we use to seed the OpenSSL DRBG. This is a basic code snippet of how we set it up:
>>> 
>>>          DRBG_CTX *dctx = FIPS_get_default_drbg();
>>>          FIPS_drbg_init(dctx, NID_aes_256_ctr, DRBG_FLAG_CTR_USE_DF);
>>>          FIPS_drbg_set_callbacks(dctx,
>>> rand_get_entropy,
>>> rand_free_entropy,
>>>                                                    0,
>>> rand_get_entropy,
>>> rand_free_entropy);
>>> 
>>> 
>>> Error checking has been removed in the example for the sake of brevity.
>>> 
>>> I am trying to figure out  how to implement this with OpenSSL 3. From what I have read in the docs, I need to create a rand provider. But I still feel like I don’t understand how it all fit together. I did look at fuzz_rand.c and fake_rand.c, and if I understood everything correctly, neither of them use an external entropy/seed source.
>>> 
>>> Are there better examples of what I am looking for?
>>> 
>>> Thanks,
>>> Kory
>>> 
>> 
> Enjoy
> 
> Jakob
> -- 
> Jakob Bohm, CIO, Partner, WiseMo A/S.  https://www.wisemo.com
> Transformervej 29, 2860 Søborg, Denmark.  Direct +45 31 13 16 10
> This public discussion message is non-binding and may contain errors.
> WiseMo - Remote Service Management for PCs, Phones and Embedded
> 

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://mta.openssl.org/pipermail/openssl-users/attachments/20210925/26a3941c/attachment.html>


More information about the openssl-users mailing list