Remove All Software Generators
beldmit at gmail.com
Wed Oct 30 16:06:39 UTC 2019
On Wed, Oct 30, 2019 at 6:58 PM Frederick Gotham <cauldwell.thomas at gmail.com>
> Dmitry Belyavsky <beldmit at gmail.com> wrote
> news:CADqLbz+JCTu_yQiW9w-fyO0O56MquA2NRi6HELR6pggxQdHHWA at mail.gmail.com:
> > On Wed, Oct 30, 2019 at 6:39 PM Frederick Gotham
> > <cauldwell.thomas at gmail.com> wrote:
> >> Dmitry Belyavsky <beldmit at gmail.com>
> >> wrote:
> >> >> You still have the OpenSSL built-in RNG.
> >> Is there a simple compiler flag to remove this?
> >> Or do I need to go into the source code and stick a "return -1;"
> >> somewhere?
> >> No. Openssl will not work if you do not provide a valid RAND_METHOD
> >> except
> > a very minimal set of operations.
> So I have to go into the source code and do the following?
> int RAND_bytes(unsigned char *buf, int num)
> return 1;
> I can either make this function fail (e.g. call 'abort'), or I can always
> make it return 0.
> What do you think?
> No. It just makes the RNG unsuitable for any purpose but does not help you.
You should do in your engine the following:
Implement the TPM-provided RAND_METHOD in the engine
call ENGINE_set_RAND for RAND method in the engine bind fuction
and write a config file similar to
openssl_conf = openssl_def
[ openssl_def ]
engines = engines_section
[ engines_section ]
cryptocom = my_section
[ my_section ]
engine_id = myengine.so
default_algorithms = RAND
SY, Dmitry Belyavsky
-------------- next part --------------
An HTML attachment was scrubbed...
More information about the openssl-users