Entropy Source for Openssl 3.8
mann.patidar at gmail.com
Mon Jul 10 15:34:46 UTC 2023
Thanks Pauli for your response.
Still I am not clear how to feed the h/w entropy to openssl.
For Non-fips mode , as per your suggestion, we have two option:
Need implement method using EVP_RAND (EVP_RAND_fetch ,
EVP_RAND_CTX_new, EVP_RAND_instantiate, EVP_RAND_seed, EVP_RAND_generate)
and set the method(RAND_set_rand_method) to openssl
How to feed h/w entropy, using EVP_RAND_seed ?
2. Write a new provider, if we can't use the above method
We can refer to test/testutil/fake_random.c ?
Internally, can we use EVP_RAND (AES_CTR DRBG) in provider
For Fips mode:
We need to use AES_CTR drbg, how to provide hardware entropy to FIPS
How to replace "seed" source, can you please provide more details. ?
Is it possible to have a common solution for both FIPS and non-FIPS mode ?
On Mon, Jun 26, 2023 at 3:18 AM Dr Paul Dale <pauli at openssl.org> wrote:
> Both RAND_set_rand_method and RAND_set_rand_engine exist in 3.0.8. They
> are deprecated but I doubt they'll be removed for a long time -- per our
> policies, they won't be before OpenSSL 4.0 is released.
> If you really want to avoid these two, you will have to write a provider
> that implements access to the entropy source. You can then use this
> provider instead of OpenSSL's default sources. I suggest looking at the
> "test" and "seed" randoms.
> For FIPS usage, it would be easiest to replace the "seed" source and
> this is outside the FIPS boundary. If you RNG is FIPS validated, it
> should be possible to use it directly, although the path is more complex.
> On 25/6/23 07:34, Manish Patidar wrote:
> > Hi
> > I am using Openssl 3.8 on rtos, we have harware random entropy source
> > for RNG. In our env, Openssl used entropy source is not available.
> > Look like entropy callback which used to available in earlier
> > versions, is no more supported. I am wondering how to plungin
> > hardware entropy to Openssl.
> > We are going to use h/w entropy in fips mode also, so we need solution
> > which works for both mode.
> > It will be really helpful if someone guide how to use h/w entropy
> > source in openssl 3.8
> > Regards
> > Manish
-------------- next part --------------
An HTML attachment was scrubbed...
More information about the openssl-users