Did you try to create your own RAND_METHOD and set it as default on loading the engine?
On Wed, Oct 30, 2019 at 5:40 PM Frederick Gotham <cauldwell.tho...@gmail.com> wrote: > > I'm working on Linux with a x86-64 CPU. > > I have a TPM2 chip, and so I want OpenSSL to do all of its encryption > and random number generation through the TPM2 chip. > > In the event that the chip fails, I do NOT want there to be a backup > system. I do NOT want any kind of software psuedorandom number generator > nor any software encryption routines. > > The engine that I'm using for OpenSSL is "libtpm2tss.so". This engine > library requires two more libraries, "libtss2-tcti-device.so" and > "libtss2-tcti-mssim.so". (The former is for using the TPM2 chip, whereas > the latter is a software simulator). > > As I don't want to have a simulator, I tried simply deleting the > simulator library, but this caused linkage problems for the mother > engine library. As an alternative, I made a new dummy library in which > all of the functions return an error value, and I put this dummy library > in the place of the simulator. This transplant went fine. > > It appears that OpenSSL will kick and scream and refuse to die not > matter how hard you hit it. If I try to generate a random number like > this: > > openssl rand -hex 8 > > Then it seems it will try in this order: > > 1) The TPM2 chip > 2) The software simulator of the TPM2 chip > 3) The built-in RDRAND number > 4) Another one that I can't find > > I have recompiled OpenSSL with the flag OPENSSL_NO_RDRAND to get rid of > the in-built engine. I have even done "rm /dev/random" and "rm > /dev/urandom", but SOME HOW, SOME WAY, I'm still getting output when I > run openssl rand -hex 8. > > How on earth to get OpenSSL to simply give up? I simply cannot have it > use anything other than my TPM2 chip. > > Frederick > > > -- SY, Dmitry Belyavsky