Entropy Source for Openssl 3.8
Dr Paul Dale
pauli at openssl.org
Sun Jun 25 21:48:01 UTC 2023
Both RAND_set_rand_method and RAND_set_rand_engine exist in 3.0.8. They
are deprecated but I doubt they'll be removed for a long time -- per our
policies, they won't be before OpenSSL 4.0 is released.
If you really want to avoid these two, you will have to write a provider
that implements access to the entropy source. You can then use this
provider instead of OpenSSL's default sources. I suggest looking at the
"test" and "seed" randoms.
For FIPS usage, it would be easiest to replace the "seed" source and
this is outside the FIPS boundary. If you RNG is FIPS validated, it
should be possible to use it directly, although the path is more complex.
Pauli
On 25/6/23 07:34, Manish Patidar wrote:
> Hi
> I am using Openssl 3.8 on rtos, we have harware random entropy source
> for RNG. In our env, Openssl used entropy source is not available.
>
> Look like entropy callback which used to available in earlier
> versions, is no more supported. I am wondering how to plungin
> hardware entropy to Openssl.
>
> We are going to use h/w entropy in fips mode also, so we need solution
> which works for both mode.
>
> It will be really helpful if someone guide how to use h/w entropy
> source in openssl 3.8
>
> Regards
> Manish
More information about the openssl-users
mailing list