Currently there is exactly one seed source that is usable in OpenSSL
3.0: "SEED-SRC". It is documented in EVP_RAND-SEED-SRC. The reason the
seed source can be set is to allow you to use a third party provider
than includes one.
If you want to force RDRAND as the only seeding source, this needs to be
done at configuration time with the --with-rand-seed configuration
option. Note that this will enable RDSEED in preference to RDRAND but
will use RDRAND if RDSEED isn't available.
I assume that you meant openssl info -seeds not openssl list -seeds.
This lists the seed sources that were configured at build time.
There is no relationship between the RDRAND engine and the seed
sources. Well, they both use the same machine instruction to get the
seed material but it's called from completely different places.
Yes, the man pages could be more informative and user friendly :(
Pauli
On 10/11/21 12:35 pm, Blumenthal, Uri - 0553 - MITLL wrote:
"man config" for OpenSSL-3.0 and newer says that there can be "[random]" section in "openssl.cnf", where I can specify type of RNG, other things, and *seed*, and seed *properties*.
Unfortunately, it did not bother to even list the possible/allowed values, let alone explain what they'd mean:
Random Configuration
The name random in the initialization section names the section containing the random number
generater settings.
Within the random section, the following names have meaning:
random
This is used to specify the random bit generator. For example:
[random]
random = CTR-DRBG
The available random bit generators are:
CTR-DRBG
HASH-DRBG
HMAC-DRBG
. . . . .
properties
This sets the property query used when fetching the random bit generator and any
underlying algorithms.
seed
This sets the randomness source that should be used. By default SEED-SRC will be used
outside of the FIPS provider. The FIPS provider uses call backs to access the same
randomness sources from outside the validated boundary.
seed_properties
This sets the property query used when fetching the randomness source.
I want to configure this [random] to use CTR-DRBG, using RDRAND as "seed". Based on "openssl list -seeds", I guess "seed = rdrand" should be OK. What properties can I set, if any? How does this "[random]" relate to the RDRAND *engine* (see below)?
$ openssl3 engine rdrand -t
(rdrand) Intel RDRAND engine
[ available ]
Thanks!
--
Regards,
Uri Blumenthal Voice: (781) 981-1638
Secure Resilient Systems and Technologies Cell: (339) 223-5363
MIT Lincoln Laboratory
244 Wood Street, Lexington, MA 02420-9108
Web: https://www.ll.mit.edu/biographies/uri-blumenthal
Root CA: https://www.ll.mit.edu/llrca2.pem
There are two ways to design a system. One is to make is so simple there are obviously no deficiencies.
The other is to make it so complex there are no obvious deficiencies.
- C. A. R. Hoare
