"man config" for OpenSSL-3.0 and newer says that there can be "[random]" section in "openssl.cnf", where I can specify type of RNG, other things, and *seed*, and seed *properties*.
Unfortunately, it did not bother to even list the possible/allowed values, let alone explain what they'd mean:
Random Configuration
The name random in the initialization section names the section containing the random number
generater settings.
Within the random section, the following names have meaning:
random
This is used to specify the random bit generator. For example:
[random]
random = CTR-DRBG
The available random bit generators are:
CTR-DRBG
HASH-DRBG
HMAC-DRBG
. . . . .
properties
This sets the property query used when fetching the random bit generator and any
underlying algorithms.
seed
This sets the randomness source that should be used. By default SEED-SRC will be used
outside of the FIPS provider. The FIPS provider uses call backs to access the same
randomness sources from outside the validated boundary.
seed_properties
This sets the property query used when fetching the randomness source.
I want to configure this [random] to use CTR-DRBG, using RDRAND as "seed". Based on "openssl list -seeds", I guess "seed = rdrand" should be OK. What properties can I set, if any? How does this "[random]" relate to the RDRAND *engine* (see below)?
$ openssl3 engine rdrand -t
(rdrand) Intel RDRAND engine
[ available ]
Thanks!
--
Regards,
Uri Blumenthal Voice: (781) 981-1638
Secure Resilient Systems and Technologies Cell: (339) 223-5363
MIT Lincoln Laboratory
244 Wood Street, Lexington, MA 02420-9108
Web: https://www.ll.mit.edu/biographies/uri-blumenthal
Root CA: https://www.ll.mit.edu/llrca2.pem
There are two ways to design a system. One is to make is so simple there are obviously no deficiencies.
The other is to make it so complex there are no obvious deficiencies.
- C. A. R. Hoare
Attachment:
smime.p7s
Description: S/MIME cryptographic signature
