On Wed, Oct 30, 2019 at 02:12:19PM -, Frederick Gotham wrote:
>
> It appears that OpenSSL will kick and scream and refuse to die not
> matter how hard you hit it. If I try to generate a random number like
> this:
>
> openssl rand -hex 8
>
> Then it seems it will try in this order:
>
Why not just change things so that if your module fails to load, the library
exits?
Don't change the RAND code, change the INIT code.
Frederick Gotham wrote:
> static int drbg_bytes(unsigned char *out, int count)
> {
> int const retval = drbg_bytes_REAL(out, count);
>
> /* Try to get a semi-unique value for the first byte */
> char unsigned rotating_value = (unsigned)out ^ ((unsigned)count <<
> 4u);
>
Frederick Gotham wrote:
>
> I will change the random number generator built into OpenSSL to always
> return sequential numbers, something like:
Here's what I have:
static int drbg_bytes(unsigned char *out, int count)
{
int const retval = drbg_bytes_REAL(out, count);
Frederick Gotham
wrote:
>
> And anyway this behaviour didn't come from deleting /dev/random, but
> rather from making the default generator inside OpenSSL always give 0
> for a random byte.
I will change the random number generator built into OpenSSL to always
return sequential numbers,
Frederick Gotham
wrote in
news:XnsAAF8BACC24C3Bfgotham@195.159.176.226:
> Jochen Bern
> wrote:
>
>> SSH logins from remote that fail
>
>
> This is my exact problem right now. My device has booted up and I
> can't SSH into it.But this doesn't entirely make sense since it should
> be getting
Jochen Bern wrote:
> SSH logins from remote that fail
This is my exact problem right now. My device has booted up and I can't SSH
into it.But this doesn't entirely make sense since it should be getting
random numbers from the TPM2 chip anyway.
On 10/30/2019 04:19 PM, openssl-users-requ...@openssl.org digested:
> From: Frederick Gotham
> To: openssl-users@openssl.org
>
> I even tried deleting /dev/random and /dev/urandom
... don't do that. The Linux kernel is both a provider and a consumer of
entropy, e.g., to randomize the TCP
Dmitry Belyavsky wrote:
> You should do in your engine the following:
Just so you know, I'm not a developer of the TPM2 engine for OpenSSL.
Of course though I can still go in and edit the code here and there.
> Implement the TPM-provided RAND_METHOD in the engine
> call ENGINE_set_RAND for
On Wed, Oct 30, 2019 at 6:58 PM Frederick Gotham
wrote:
> Dmitry Belyavsky wrote
> in
> news:cadqlbz+jctu_yqiw9w-fyo0o56mqua2nri6helr6pggxqdh...@mail.gmail.com:
>
> > On Wed, Oct 30, 2019 at 6:39 PM Frederick Gotham
> > wrote:
> >
> >> Dmitry Belyavsky
> >> wrote:
> >>
> >> >> You still have
Dmitry Belyavsky wrote
in
news:cadqlbz+jctu_yqiw9w-fyo0o56mqua2nri6helr6pggxqdh...@mail.gmail.com:
> On Wed, Oct 30, 2019 at 6:39 PM Frederick Gotham
> wrote:
>
>> Dmitry Belyavsky
>> wrote:
>>
>> >> You still have the OpenSSL built-in RNG.
>>
>>
>>
>> Is there a simple compiler flag to
On Wed, Oct 30, 2019 at 6:39 PM Frederick Gotham
wrote:
> Dmitry Belyavsky wrote:
>
> >> You still have the OpenSSL built-in RNG.
>
>
>
> Is there a simple compiler flag to remove this?
>
> Or do I need to go into the source code and stick a "return -1;" somewhere?
>
> No. Openssl will not work
Dmitry Belyavsky wrote:
>> You still have the OpenSSL built-in RNG.
Is there a simple compiler flag to remove this?
Or do I need to go into the source code and stick a "return -1;" somewhere?
On Wed, Oct 30, 2019 at 6:20 PM Frederick Gotham
wrote:
> Dmitry Belyavsky wrote
>
> >> /etc/ssl/openssl.cnf
> >
> > Yes, or any custom.
> > But the engine must provide the RAND_METHOD and set it as default.
> >
> >
>
>
>
> But if my TPM2 engine fails to load, then OpenSSL will just use the
>
Dmitry Belyavsky wrote
>> /etc/ssl/openssl.cnf
>
> Yes, or any custom.
> But the engine must provide the RAND_METHOD and set it as default.
>
>
But if my TPM2 engine fails to load, then OpenSSL will just use the
'rdrand' engine.
So my defense agains this is to rebuild OpenSSL with the
On Wed, Oct 30, 2019 at 6:08 PM Frederick Gotham
wrote:
> Dmitry Belyavsky wrote:
>
>
> >> It can be done via the engine code and config.
>
>
> Do you mean
>
> /etc/ssl/openssl.cnf
>
> ?
>
Yes, or any custom.
But the engine must provide the RAND_METHOD and set it as default.
--
SY, Dmitry
Dmitry Belyavsky wrote:
>> It can be done via the engine code and config.
Do you mean
/etc/ssl/openssl.cnf
?
On Wed, Oct 30, 2019 at 6:00 PM Frederick Gotham
wrote:
> Dmitry Belyavsky wrote:
>
> > Did you try to create your own RAND_METHOD and set it as default on
> > loading the engine?
>
>
> No, I didn't try that.
>
> Note that I'm only using the OpenSSL binary, I'm not interfacing with an
> API.
>
>
Dmitry Belyavsky wrote:
> Did you try to create your own RAND_METHOD and set it as default on
> loading the engine?
No, I didn't try that.
Note that I'm only using the OpenSSL binary, I'm not interfacing with an
API.
Did you try to create your own RAND_METHOD and set it as default on loading
the engine?
On Wed, Oct 30, 2019 at 5:40 PM Frederick Gotham
wrote:
>
> I'm working on Linux with a x86-64 CPU.
>
> I have a TPM2 chip, and so I want OpenSSL to do all of its encryption
> and random number generation
I'm working on Linux with a x86-64 CPU.
I have a TPM2 chip, and so I want OpenSSL to do all of its encryption
and random number generation through the TPM2 chip.
In the event that the chip fails, I do NOT want there to be a backup
system. I do NOT want any kind of software psuedorandom
21 matches
Mail list logo
