Thanks Pauli for your response.
Still I am not clear how to feed the h/w entropy to openssl.
For Non-fips mode , as per your suggestion, we have two option:
1. RAND_set_rand_method/RAND_set_rand_engine
Still I am not clear how to feed the h/w entropy to openssl.
For Non-fips mode , as per your suggestion, we have two option:
1. RAND_set_rand_method/RAND_set_rand_engine
Need implement method using EVP_RAND (EVP_RAND_fetch , EVP_RAND_CTX_new, EVP_RAND_instantiate, EVP_RAND_seed, EVP_RAND_generate)
and set the method(RAND_set_rand_method) to openssl
Is it possible to have a common solution for both FIPS and non-FIPS mode ?
How to feed h/w entropy, using EVP_RAND_seed ?
2. Write a new provider, if we can't use the above method
We can refer to test/testutil/fake_random.c ?
Internally, can we use EVP_RAND (AES_CTR DRBG) in provider implementation ?
For Fips mode:
2. Write a new provider, if we can't use the above method
We can refer to test/testutil/fake_random.c ?
Internally, can we use EVP_RAND (AES_CTR DRBG) in provider implementation ?
For Fips mode:
We need to use AES_CTR drbg, how to provide hardware entropy to FIPS providers.
How to replace "seed" source, can you please provide more details. ?
How to replace "seed" source, can you please provide more details. ?
Is it possible to have a common solution for both FIPS and non-FIPS mode ?
Regards
Manish
On Mon, Jun 26, 2023 at 3:18 AM Dr Paul Dale <pauli@xxxxxxxxxxx> wrote:
Both RAND_set_rand_method and RAND_set_rand_engine exist in 3.0.8. They
are deprecated but I doubt they'll be removed for a long time -- per our
policies, they won't be before OpenSSL 4.0 is released.
If you really want to avoid these two, you will have to write a provider
that implements access to the entropy source. You can then use this
provider instead of OpenSSL's default sources. I suggest looking at the
"test" and "seed" randoms.
For FIPS usage, it would be easiest to replace the "seed" source and
this is outside the FIPS boundary. If you RNG is FIPS validated, it
should be possible to use it directly, although the path is more complex.
Pauli
On 25/6/23 07:34, Manish Patidar wrote:
> Hi
> I am using Openssl 3.8 on rtos, we have harware random entropy source
> for RNG. In our env, Openssl used entropy source is not available.
>
> Look like entropy callback which used to available in earlier
> versions, is no more supported. I am wondering how to plungin
> hardware entropy to Openssl.
>
> We are going to use h/w entropy in fips mode also, so we need solution
> which works for both mode.
>
> It will be really helpful if someone guide how to use h/w entropy
> source in openssl 3.8
>
> Regards
> Manish
