wolfSSL · ColtonWilley · Jan 7, 2026 · Jan 7, 2026 · Jan 8, 2026 · padelsbach
diff --git a/.github/workflows/seed-src.yml b/.github/workflows/seed-src.yml
@@ -0,0 +1,55 @@
+name: SEED-SRC Tests
+
+# START OF COMMON SECTION
+on:
+  push:
+    branches: [ 'master', 'main', 'release/**' ]
+  pull_request:
+    branches: [ '*' ]
+
+concurrency:
+  group: ${{ github.workflow }}-${{ github.ref }}
+  cancel-in-progress: true
+# END OF COMMON SECTION
+
+jobs:
+  seed_src_test:
+    name: SEED-SRC Test
+    runs-on: ubuntu-22.04
+    timeout-minutes: 20
+    strategy:
+      matrix:
+        wolfssl_ref: [
+          'master',
+          'v5.8.4-stable']
+        openssl_ref: [
+          'openssl-3.5.4',
+          'openssl-3.0.17']
+
+    steps:
+      - name: Checkout wolfProvider
+        uses: actions/checkout@v4
+        with:
+          fetch-depth: 1
+
+      - name: Build and test wolfProvider with SEED-SRC
+        run: |
+             # Force wolfSSL to not use getrandom syscall via ac_cv_func_getrandom=no.
+             # This ensures /dev/urandom is used as the entropy source, which is
+             # required to test the SEED-SRC feature's fork-safe caching behavior.
+             WOLFSSL_CONFIG_OPTS="--enable-all-crypto --with-eccminsz=192 --with-max-ecc-bits=1024 --enable-opensslcoexist --enable-sha ac_cv_func_getrandom=no" \
+             OPENSSL_TAG=${{ matrix.openssl_ref }} \
+             WOLFSSL_TAG=${{ matrix.wolfssl_ref }} \
+             ./scripts/build-wolfprovider.sh --enable-seed-src
+
+      - name: Print errors
+        if: ${{ failure() }}
+        run: |
+          if [ -f test-suite.log ] ; then
+            cat test-suite.log
+          fi
+          if [ -f scripts/build-release.log ] ; then
+            echo "=== Build Release Log (last 100 lines) ==="
+            tail -100 scripts/build-release.log
+          fi
+
diff --git a/configure.ac b/configure.ac
@@ -132,6 +132,17 @@ AC_ARG_ENABLE([replace-default],
 
 AM_CONDITIONAL([BUILD_REPLACE_DEFAULT], [test "x$ENABLED_REPLACE_DEFAULT" = "xyes"])
 
+# SEED-SRC entropy source with /dev/urandom caching
+AC_ARG_ENABLE([seed-src],
+    [AS_HELP_STRING([--enable-seed-src],[Enable SEED-SRC entropy source with /dev/urandom caching for fork-safe entropy (default: disabled).])],
+    [ ENABLED_SEED_SRC=$enableval ],
+    [ ENABLED_SEED_SRC=no ]
+    )
+
+if test "x$ENABLED_SEED_SRC" = "xyes"; then
+    AM_CFLAGS="$AM_CFLAGS -DWP_HAVE_SEED_SRC"
+fi
+
 # Set OpenSSL lib directory for installing libdefault.so
 if test "x$ENABLED_REPLACE_DEFAULT" = "xyes"; then
     if test -d "$OPENSSL_INSTALL_DIR/lib64"; then

diff --git a/include/wolfprovider/alg_funcs.h b/include/wolfprovider/alg_funcs.h
@@ -170,6 +170,7 @@ typedef void (*DFUNC)(void);
 #define WP_NAMES_DHX            "DHX"
 
 /* DRBG names. */
+#define WP_NAMES_SEED_SRC       "SEED-SRC"
 #define WP_NAMES_CTR_DRBG       "CTR-DRBG"
 #define WP_NAMES_HASH_DRBG      "HASH-DRBG"
 
@@ -351,6 +352,9 @@ extern const OSSL_DISPATCH wp_hkdf_keyexch_functions[];
 extern const OSSL_DISPATCH wp_tls1_prf_keyexch_functions[];
 
 /* DRBG implementations. */
+#ifdef WP_HAVE_SEED_SRC
+extern const OSSL_DISPATCH wp_seed_src_functions[];
+#endif
 extern const OSSL_DISPATCH wp_drbg_functions[];
 
 /* Decode implementations. */

diff --git a/include/wolfprovider/internal.h b/include/wolfprovider/internal.h
@@ -155,6 +155,24 @@ typedef struct WOLFPROV_CTX {
    BIO_METHOD *coreBioMethod;
 } WOLFPROV_CTX;
 
+#ifdef WP_HAVE_SEED_SRC
+/*
+ * Global /dev/urandom subsystem functions.
+ *
+ * These manage a cached file handle to /dev/urandom that is opened lazily
+ * on first entropy request (matching OpenSSL's default provider behavior).
+ * The file stays open so child processes inherit it and can read even
+ * in sandboxed environments that block openat().
+ */
+int wp_urandom_init(void);
+void wp_urandom_cleanup(void);
+int wp_urandom_read(unsigned char* buf, size_t len);
+
+#ifndef WP_SINGLE_THREADED
+wolfSSL_Mutex *wp_get_urandom_mutex(void);
+#endif
+#endif /* WP_HAVE_SEED_SRC */
+
 
 WC_RNG* wp_provctx_get_rng(WOLFPROV_CTX* provCtx);
 #ifndef WP_SINGLE_THREADED

diff --git a/scripts/build-wolfprovider.sh b/scripts/build-wolfprovider.sh
@@ -27,6 +27,8 @@ show_help() {
   echo "                             Note: Requires --replace-default. Only for test builds, not for production."
   echo "  --leave-silent             Enable leave silent mode to suppress logging of return 0 in probing functions where expected failures may occur."
   echo "                             Note: This only affects logging; the calling function is still responsible for handling all return values appropriately."
+  echo "  --enable-seed-src          Enable SEED-SRC entropy source with /dev/urandom caching for fork-safe entropy."
+  echo "                             Note: This also enables WC_RNG_SEED_CB in wolfSSL."
   echo ""
   echo "Environment Variables:"
   echo "  OPENSSL_TAG                OpenSSL tag to use (e.g., openssl-3.5.0)"
@@ -43,6 +45,7 @@ show_help() {
   echo "  WOLFPROV_REPLACE_DEFAULT   If set to 1, patches OpenSSL so wolfProvider is the default provider"
   echo "  WOLFPROV_REPLACE_DEFAULT_TESTING If set to 1, enables direct provider loading in unit tests (requires WOLFPROV_REPLACE_DEFAULT=1)"
   echo "  WOLFPROV_LEAVE_SILENT      If set to 1, suppress logging of return 0 in functions where return 0 is expected behavior sometimes."
+  echo "  WOLFPROV_SEED_SRC          If set to 1, enables SEED-SRC with /dev/urandom caching (also enables WC_RNG_SEED_CB in wolfSSL)"
   echo ""
 }
 
@@ -129,6 +132,9 @@ for arg in "$@"; do
         --leave-silent)
             WOLFPROV_LEAVE_SILENT=1
             ;;
+        --enable-seed-src)
+            WOLFPROV_SEED_SRC=1
+            ;;
         *)
             args_wrong+="$arg, "
             ;;

diff --git a/scripts/utils-wolfprovider.sh b/scripts/utils-wolfprovider.sh
@@ -106,6 +106,10 @@ install_wolfprov() {
         WOLFPROV_CONFIG_OPTS+=" --enable-replace-default"
     fi
 
+    if [ "$WOLFPROV_SEED_SRC" = "1" ]; then
+        WOLFPROV_CONFIG_OPTS+=" --enable-seed-src"
+    fi
+
     if [ "${WOLFPROV_LEAVE_SILENT}" = "1" ]; then
         WOLFPROV_CONFIG_CFLAGS="${WOLFPROV_CONFIG_CFLAGS} -DWOLFPROV_LEAVE_SILENT_MODE"
     fi

diff --git a/scripts/utils-wolfssl.sh b/scripts/utils-wolfssl.sh
@@ -32,6 +32,12 @@ WOLFSSL_FIPS_CONFIG_CFLAGS=${WOLFSSL_CONFIG_CFLAGS:-"-I${OPENSSL_INSTALL_DIR}/in
 WOLFSSL_CONFIG_OPTS=${WOLFSSL_CONFIG_OPTS:-'--enable-all-crypto --with-eccminsz=192 --with-max-ecc-bits=1024 --enable-opensslcoexist --enable-sha'}
 WOLFSSL_CONFIG_CFLAGS=${WOLFSSL_CONFIG_CFLAGS:-"-I${OPENSSL_INSTALL_DIR}/include -DWC_RSA_NO_PADDING -DWOLFSSL_PUBLIC_MP -DHAVE_PUBLIC_FFDHE -DHAVE_FFDHE_6144 -DHAVE_FFDHE_8192 -DWOLFSSL_PSS_LONG_SALT -DWOLFSSL_PSS_SALT_LEN_DISCOVER -DRSA_MIN_SIZE=1024 -DWOLFSSL_OLD_OID_SUM "}
 
+# Add WC_RNG_SEED_CB when SEED-SRC is enabled (allows custom seed callback for fork safety)
+if [ "$WOLFPROV_SEED_SRC" = "1" ]; then
+    WOLFSSL_CONFIG_CFLAGS="${WOLFSSL_CONFIG_CFLAGS} -DWC_RNG_SEED_CB"
+    WOLFSSL_FIPS_CONFIG_CFLAGS="${WOLFSSL_FIPS_CONFIG_CFLAGS} -DWC_RNG_SEED_CB"
+fi
+
 WOLFSSL_DEBUG_ASN_TEMPLATE=${DWOLFSSL_DEBUG_ASN_TEMPLATE:-0}
 WOLFPROV_DISABLE_ERR_TRACE=${WOLFPROV_DISABLE_ERR_TRACE:-0}
 WOLFPROV_DEBUG=${WOLFPROV_DEBUG:-0}

diff --git a/src/include.am b/src/include.am
@@ -36,6 +36,7 @@ libwolfprov_la_SOURCES += src/wp_ecx_sig.c
 libwolfprov_la_SOURCES += src/wp_dh_kmgmt.c
 libwolfprov_la_SOURCES += src/wp_dh_exch.c
 libwolfprov_la_SOURCES += src/wp_drbg.c
+libwolfprov_la_SOURCES += src/wp_seed_src.c
 libwolfprov_la_SOURCES += src/wp_dec_pem2der.c
 libwolfprov_la_SOURCES += src/wp_dec_epki2pki.c
 libwolfprov_la_SOURCES += src/wp_file_store.c