So is there no longer an API to feed entropy to the default or FIPS
default RNG?
Creating an entire provider just to feed input to the FIPS provider
seems overkill.
On 2021-09-14 01:00, Dr Paul Dale wrote:
Try working from providers/implementations/rands/seed_src.c You'll
need to reimplement seed_src_generate() to use your RNG.
To use your custom seed source, you can either use the OpenSSL
configuration file to set a "random" section that includes a "seed"
setting or you can call RAND_set_seed_source_type() early in your
startup sequence.
Pauli
On 14/9/21 8:19 am, Kory Hamzeh wrote:
Hi,
We are upgrading from OpenSSL 1.0.1g+OpenSSL-FIPS-2.0.5 to 3.0.0.
Yes, I know, big jump. We have our own entropy source we use to seed
the OpenSSL DRBG. This is a basic code snippet of how we set it up:
DRBG_CTX *dctx = FIPS_get_default_drbg();
FIPS_drbg_init(dctx, NID_aes_256_ctr, DRBG_FLAG_CTR_USE_DF);
FIPS_drbg_set_callbacks(dctx,
rand_get_entropy,
rand_free_entropy,
0,
rand_get_entropy,
rand_free_entropy);
Error checking has been removed in the example for the sake of brevity.
I am trying to figure out how to implement this with OpenSSL 3. From
what I have read in the docs, I need to create a rand provider. But I
still feel like I don’t understand how it all fit together. I did
look at fuzz_rand.c and fake_rand.c, and if I understood everything
correctly, neither of them use an external entropy/seed source.
Are there better examples of what I am looking for?
Thanks,
Kory
Enjoy
Jakob
--
Jakob Bohm, CIO, Partner, WiseMo A/S. https://www.wisemo.com
Transformervej 29, 2860 Søborg, Denmark. Direct +45 31 13 16 10
This public discussion message is non-binding and may contain errors.
WiseMo - Remote Service Management for PCs, Phones and Embedded
