CODEWITHSUNDEEP
opensslcryptographyopenssl-engine
sujay
sujay

Reputation: 1

Random number generation in Openssl provider

I am trying to implement a openssl provider (say x-prov) with random number generation from HSM. The x-prov provider during the initialization (in OSSL_provider_init function) uses the RAND_bytes api of openssl.

I execute the openssl command as openssl rand --provider x-prov.so --provider default -hex 32

I am getting the following error

rand: unable to load provider x-prov.so Hint: use -provider-path option or OPENSSL_MODULES environment variable. 4007CE76A07F0000:error:0308010C:digital envelope routines:inner_evp_generic_fetch:unsupported:crypto/evp/evp_fetch.c:373:Global default library context, Algorithm (CTR-DRBG : 0), Properties () 4007CE76A07F0000:error:12000090:random number generator:rand_new_drbg:unable to fetch drbg:crypto/rand/rand_lib.c:571:

Can anyone help me solve the issue please ?

I am using OpenSSL 3.0.2 15 Mar 2022 (Library: OpenSSL 3.0.2 15 Mar 2022)

Loading the default provider at the start as - "openssl rand --provider default --provider x-prov.so -hex 32" will solve the RAND_bytes api issue, But even the "openssl rand" command will get the random numbers from default provider. (wont use the x-prov.so for this).

Upvotes: 0

Views: 3572

Answers (2)

JonathanG
JonathanG

Reputation: 61

The key part of the error that you are seeing is "unable to fetch drbg" (translated from the internal RAND_R_UNABLE_TO_FETCH_DRBG). This is telling you that openssl is unable to load the requested DRBG provider: in this case x-prov.so.

This could be either because a) the shared object (x-prov.so) cannot be located, or b) it could be located, but failed to load.

In the case of (a) "File not found": adding an additional command-line argument `-provider-path <path_to_x-prov.so>" may help.

In the case of (b) "Provider initialisation failure", you would need ti inspect or debug the initialisation code of your provider to find the cause of failure.

If I understand correctly that you are needing some randomness during the RNG initialisation, then you may need to source that yourself, independant of openssl so as to avoid recursion.

I hope this helps.

Upvotes: 0

user23398209
user23398209

Reputation: 1

Use -provider-path to solve problem

Upvotes: -1

Related Questions