On Wed, Oct 30, 2019 at 6:58 PM Frederick Gotham <cauldwell.thomas@xxxxxxxxx> wrote:
Dmitry Belyavsky <beldmit@xxxxxxxxx> wrote
in
news:CADqLbz+JCTu_yQiW9w-fyO0O56MquA2NRi6HELR6pggxQdHHWA@xxxxxxxxxxxxxx:
> On Wed, Oct 30, 2019 at 6:39 PM Frederick Gotham
> <cauldwell.thomas@xxxxxxxxx> wrote:
>
>> Dmitry Belyavsky <beldmit@xxxxxxxxx>
>> wrote:
>>
>> >> You still have the OpenSSL built-in RNG.
>>
>>
>>
>> Is there a simple compiler flag to remove this?
>>
>> Or do I need to go into the source code and stick a "return -1;"
>> somewhere?
>>
>> No. Openssl will not work if you do not provide a valid RAND_METHOD
>> except
> a very minimal set of operations.
>
So I have to go into the source code and do the following?
int RAND_bytes(unsigned char *buf, int num)
{
memset(buf,0,num);
return 1;
}
I can either make this function fail (e.g. call 'abort'), or I can always
make it return 0.
What do you think?
You should do in your engine the following:
Implement the TPM-provided RAND_METHOD in the engine
call ENGINE_set_RAND for RAND method in the engine bind fuction
and write a config file similar to
=========
openssl_conf = openssl_def
[ openssl_def ]
engines = engines_section
[ engines_section ]
cryptocom = my_section
[ my_section ]
engine_id = myengine.so
default_algorithms = RAND
openssl_conf = openssl_def
[ openssl_def ]
engines = engines_section
[ engines_section ]
cryptocom = my_section
[ my_section ]
engine_id = myengine.so
default_algorithms = RAND
=========
--
SY, Dmitry Belyavsky
