Random number generation in Openssl provider

[sujaygkulkarni-nxp]

I am trying to implement a openssl provider (say x-prov) with random number generation from HSM. The x-prov provider during the initialization (in OSSL_provider_init function) has to use the RAND_bytes api of openssl.

I execute the openssl command as openssl rand --provider x-prov.so --provider default -hex 32

I am getting the following error

rand: unable to load provider x-prov.so Hint: use -provider-path option or OPENSSL_MODULES environment variable. 4007CE76A07F0000:error:0308010C:digital envelope routines:inner_evp_generic_fetch:unsupported:crypto/evp/evp_fetch.c:373:Global default library context, Algorithm (CTR-DRBG : 0), Properties () 4007CE76A07F0000:error:12000090:random number generator:rand_new_drbg:unable to fetch drbg:crypto/rand/rand_lib.c:571:

Loading the default provider at the start as - "openssl rand --provider default --provider x-prov.so -hex 32" will solve the RAND_bytes api issue, But even the "openssl rand" command will get the random numbers from default provider. (wont use the x-prov.so for this).

[t8m]

Unfortunately you cannot depend on other providers in OSSL_provider_init() function. @paulidale might be able to give you some hints on how this can be workarounded.

[paulidale]

At the time OSSL_provider_init() is called, none of the provided algorithms have been registered because that happens later. So if you need RAND_bytes() as part of your initialisation and you provide the RNG, you'd better call it directly.

Essentially, provider initialisation is the time to set things up not to use included algorithms.

Instead of called RAND_bytes(), you should either call your RNG directly or go through the EVP_RAND APIs to create and instantiate it (and I'm not sure the latter will be possible).

[sujaygkulkarni-nxp]

Thank you for the hint. Will give it a try.