Re: OpenSSL 3.0.0 custom entropy source

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 

Correct, you need to create a provider.

Look at providers/implementations/rands/seed_src.c as an example. You'll need to reimplement seed_src_generate() to use your RNG.

Your seed source will need to be wrapped in a provider and registered using a name of your choice.  See providers/defltprov.c and search for "seed”.

To use your custom seed source, you can either use the OpenSSL configuration file to set a "random" section that includes a "seed" setting or you can call RAND_set_seed_source_type() early in your startup sequence.

If you link in your provider, you will need to call OSSL_PROVIDER_add_builtin() with the name and init function before you call OSSL_PROVIDER_load() to load it. Then call OSSL_PROVIDER_load() for all of the other providers (default, base, FIPS, etc).



On Sep 25, 2021, at 6:46 AM, Jakob Bohm via openssl-users <openssl-users@xxxxxxxxxxx> wrote:

So is there no longer an API to feed entropy to the default or FIPS default RNG?

Creating an entire provider just to feed input to the FIPS provider seems overkill.

On 2021-09-14 01:00, Dr Paul Dale wrote:
Try working from providers/implementations/rands/seed_src.c  You'll need to reimplement seed_src_generate() to use your RNG.

To use your custom seed source, you can either use the OpenSSL configuration file to set a "random" section that includes a "seed" setting or you can call RAND_set_seed_source_type() early in your startup sequence.


Pauli

On 14/9/21 8:19 am, Kory Hamzeh wrote:
Hi,

We are upgrading from OpenSSL 1.0.1g+OpenSSL-FIPS-2.0.5 to 3.0.0. Yes, I know, big jump. We have our own entropy source we use to seed the OpenSSL DRBG. This is a basic code snippet of how we set it up:

         DRBG_CTX *dctx = FIPS_get_default_drbg();
         FIPS_drbg_init(dctx, NID_aes_256_ctr, DRBG_FLAG_CTR_USE_DF);
         FIPS_drbg_set_callbacks(dctx,
rand_get_entropy,
rand_free_entropy,
                                                   0,
rand_get_entropy,
rand_free_entropy);


Error checking has been removed in the example for the sake of brevity.

I am trying to figure out  how to implement this with OpenSSL 3. From what I have read in the docs, I need to create a rand provider. But I still feel like I don’t understand how it all fit together. I did look at fuzz_rand.c and fake_rand.c, and if I understood everything correctly, neither of them use an external entropy/seed source.

Are there better examples of what I am looking for?

Thanks,
Kory


Enjoy

Jakob
--
Jakob Bohm, CIO, Partner, WiseMo A/S.  https://www.wisemo.com
Transformervej 29, 2860 Søborg, Denmark.  Direct +45 31 13 16 10
This public discussion message is non-binding and may contain errors.
WiseMo - Remote Service Management for PCs, Phones and Embedded


[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

[Index of Archives]     [Linux ARM Kernel]     [Linux ARM]     [Linux Omap]     [Fedora ARM]     [IETF Annouce]     [Security]     [Bugtraq]     [Linux]     [Linux OMAP]     [Linux MIPS]     [ECOS]     [Asterisk Internet PBX]     [Linux API]

  Powered by Linux