On Wed, Oct 30, 2019 at 6:58 PM Frederick Gotham <cauldwell.tho...@gmail.com> wrote:
> Dmitry Belyavsky <beld...@gmail.com> wrote > in > news:cadqlbz+jctu_yqiw9w-fyo0o56mqua2nri6helr6pggxqdh...@mail.gmail.com: > > > On Wed, Oct 30, 2019 at 6:39 PM Frederick Gotham > > <cauldwell.tho...@gmail.com> wrote: > > > >> Dmitry Belyavsky <beld...@gmail.com> > >> wrote: > >> > >> >> You still have the OpenSSL built-in RNG. > >> > >> > >> > >> Is there a simple compiler flag to remove this? > >> > >> Or do I need to go into the source code and stick a "return -1;" > >> somewhere? > >> > >> No. Openssl will not work if you do not provide a valid RAND_METHOD > >> except > > a very minimal set of operations. > > > > > So I have to go into the source code and do the following? > > int RAND_bytes(unsigned char *buf, int num) > { > memset(buf,0,num); > return 1; > } > > I can either make this function fail (e.g. call 'abort'), or I can always > make it return 0. > > What do you think? > > No. It just makes the RNG unsuitable for any purpose but does not help you. You should do in your engine the following: Implement the TPM-provided RAND_METHOD in the engine call ENGINE_set_RAND for RAND method in the engine bind fuction and write a config file similar to ========= openssl_conf = openssl_def [ openssl_def ] engines = engines_section [ engines_section ] cryptocom = my_section [ my_section ] engine_id = myengine.so default_algorithms = RAND ========= -- SY, Dmitry Belyavsky
