Correct, you need to create a provider. Look at providers/implementations/rands/seed_src.c as an example. You'll need to reimplement seed_src_generate() to use your RNG.
Your seed source will need to be wrapped in a provider and registered using a name of your choice. See providers/defltprov.c and search for "seed”. To use your custom seed source, you can either use the OpenSSL configuration file to set a "random" section that includes a "seed" setting or you can call RAND_set_seed_source_type() early in your startup sequence. If you link in your provider, you will need to call OSSL_PROVIDER_add_builtin() with the name and init function before you call OSSL_PROVIDER_load() to load it. Then call OSSL_PROVIDER_load() for all of the other providers (default, base, FIPS, etc). > On Sep 25, 2021, at 6:46 AM, Jakob Bohm via openssl-users > <openssl-users@openssl.org> wrote: > > So is there no longer an API to feed entropy to the default or FIPS default > RNG? > > Creating an entire provider just to feed input to the FIPS provider seems > overkill. > > On 2021-09-14 01:00, Dr Paul Dale wrote: >> Try working from providers/implementations/rands/seed_src.c You'll need to >> reimplement seed_src_generate() to use your RNG. >> >> To use your custom seed source, you can either use the OpenSSL configuration >> file to set a "random" section that includes a "seed" setting or you can >> call RAND_set_seed_source_type() early in your startup sequence. >> >> >> Pauli >> >> On 14/9/21 8:19 am, Kory Hamzeh wrote: >>> Hi, >>> >>> We are upgrading from OpenSSL 1.0.1g+OpenSSL-FIPS-2.0.5 to 3.0.0. Yes, I >>> know, big jump. We have our own entropy source we use to seed the OpenSSL >>> DRBG. This is a basic code snippet of how we set it up: >>> >>> DRBG_CTX *dctx = FIPS_get_default_drbg(); >>> FIPS_drbg_init(dctx, NID_aes_256_ctr, DRBG_FLAG_CTR_USE_DF); >>> FIPS_drbg_set_callbacks(dctx, >>> rand_get_entropy, >>> rand_free_entropy, >>> 0, >>> rand_get_entropy, >>> rand_free_entropy); >>> >>> >>> Error checking has been removed in the example for the sake of brevity. >>> >>> I am trying to figure out how to implement this with OpenSSL 3. From what >>> I have read in the docs, I need to create a rand provider. But I still feel >>> like I don’t understand how it all fit together. I did look at fuzz_rand.c >>> and fake_rand.c, and if I understood everything correctly, neither of them >>> use an external entropy/seed source. >>> >>> Are there better examples of what I am looking for? >>> >>> Thanks, >>> Kory >>> >> > Enjoy > > Jakob > -- > Jakob Bohm, CIO, Partner, WiseMo A/S. https://www.wisemo.com > Transformervej 29, 2860 Søborg, Denmark. Direct +45 31 13 16 10 > This public discussion message is non-binding and may contain errors. > WiseMo - Remote Service Management for PCs, Phones and Embedded >
