Re: OpenSSL-3.+ how to configure [random]?

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



On 11/10/21, 15:20, "openssl-users on behalf of Dr Paul Dale" <openssl-users-bounces@xxxxxxxxxxx on behalf of pauli@xxxxxxxxxxx> wrote:
>
>  I'm pretty sure the underlying problem is that there is a call to 
>  RAND_set_rand_method() or RAND_set_rand_engine() occurring (likely the 
>  latter).

Probably...

>  These completely replace the built in RNG infrastructure with the 
>  RAND_METHOD/engine.  If the engine then fails to produce output for any 
>  reason, the observed results will present.

And randomness retrieval in PKCS#11 engine is broken, because otherwise it would've gotten some randomness form the hardware token, right?

>  Adding the RDRAND engine again replaces the RAND_METHOD and things begin 
>  working.

Yes...

>  I've no idea why the PKCS#11 engine has stopped working with 3.0. It 
>  wasn't meant to.

This made me questioning what's going on. It's been quite some time since I updated 'pkcs11' engine for OSSL-1.1.1.

And I observe that the current version of the PKCS#11 engine does not work correctly, i.e., does not serve randomness, on OpenSSL-1.1.1 *and* 3.x.

$ OPENSSL_CONF="" openssl version
OpenSSL 3.0.0 7 sep 2021 (Library: OpenSSL 3.0.0 7 sep 2021)
$ OPENSSL_CONF="" openssl rand -engine pkcs11 -hex 8
Engine "pkcs11" set.
$ OPENSSL_CONF="" openssl-1.1 rand -engine pkcs11 -hex 8
engine "pkcs11" set.
$ OPENSSL_CONF="" ~/openssl-3/bin/openssl version
OpenSSL 3.1.0-dev  (Library: OpenSSL 3.1.0-dev )
$ OPENSSL_CONF="" ~/openssl-3/bin/openssl rand -engine pkcs11 -hex 8
Engine "pkcs11" set.
$ OPENSSL_CONF="" openssl rand -hex 8
71f7744c5190385f
$

I'll bring this up with its maintainers.

Thanks!


    On 11/11/21 1:36 am, Blumenthal, Uri - 0553 - MITLL wrote:
    > Yes, it's related to https://github.com/openssl/openssl/issues/16996, and yes - the same solution worked.
    >
    > There's something wrong with how PKCS#11 engine deals with (or presents itself as) rand provider.
    > In any case, removing PKCS#11 engine from the [engines] section alleviated this problem.
    >
    > Thanks!
    >
    > P.S. I configured rand seed sources the standard way: "--with-rand-seed=rdcpu,os", as I think everybody does.

Attachment: smime.p7s
Description: S/MIME cryptographic signature


[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

[Index of Archives]     [Linux ARM Kernel]     [Linux ARM]     [Linux Omap]     [Fedora ARM]     [IETF Annouce]     [Security]     [Bugtraq]     [Linux]     [Linux OMAP]     [Linux MIPS]     [ECOS]     [Asterisk Internet PBX]     [Linux API]

  Powered by Linux