As for what to fetch: the DRBG instances and the seed material source would be
ideal, although we don’t need the seed source for FIPS (so long as the DRBGs
seed from inside their own provider).
I had always assumed we would fetch DRBG instances.
Matt
It would also make sense to make the entropy sources themselves fetchable and
configurable. This would enable us to
- separate FIPS and non-FIPS entropy sources (using the 'fips' attribute)
- make the entropy search policy configurable via config file (search order,
blocking vs. non-blocking, ...)
and it would also enable third party providers to plug in their (FIPS
certified) hardware modules as entropy sources.
In this context it might help to revisit Pauli's long standing and still
unresolved issue #4394:
- Multiple entropy source handling -
https://github.com/openssl/openssl/issues/4394
Matthias
