Remove All Software Generators

Dmitry Belyavsky beldmit at gmail.com
Wed Oct 30 16:06:39 UTC 2019


On Wed, Oct 30, 2019 at 6:58 PM Frederick Gotham <cauldwell.thomas at gmail.com>
wrote:

> Dmitry Belyavsky <beldmit at gmail.com> wrote
> in
> news:CADqLbz+JCTu_yQiW9w-fyO0O56MquA2NRi6HELR6pggxQdHHWA at mail.gmail.com:
>
> > On Wed, Oct 30, 2019 at 6:39 PM Frederick Gotham
> > <cauldwell.thomas at gmail.com> wrote:
> >
> >> Dmitry Belyavsky <beldmit at gmail.com>
> >> wrote:
> >>
> >> >> You still have the OpenSSL built-in RNG.
> >>
> >>
> >>
> >> Is there a simple compiler flag to remove this?
> >>
> >> Or do I need to go into the source code and stick a "return -1;"
> >> somewhere?
> >>
> >> No. Openssl will not work if you do not provide a valid RAND_METHOD
> >> except
> > a very minimal set of operations.
> >
>
>
> So I have to go into the source code and do the following?
>
> int RAND_bytes(unsigned char *buf, int num)
> {
>     memset(buf,0,num);
>     return 1;
> }
>
> I can either make this function fail (e.g. call 'abort'), or I can always
> make it return 0.
>
> What do you think?
>
> No. It just makes the RNG unsuitable for any purpose but does not help you.

You should do in your engine the following:

Implement the TPM-provided RAND_METHOD in the engine
call ENGINE_set_RAND for RAND method in the engine bind fuction

and write a config file similar to
=========
openssl_conf = openssl_def
[ openssl_def ]
engines = engines_section
[ engines_section ]
cryptocom = my_section

[ my_section ]
engine_id = myengine.so
default_algorithms = RAND
=========

-- 
SY, Dmitry Belyavsky
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://mta.openssl.org/pipermail/openssl-users/attachments/20191030/e76082c2/attachment.html>


More information about the openssl-users mailing list