Not enabling default provider leads to "broken"/low entropy/randomness

[EverybodyGetsHurt]

Im trying to build my openssl with the latest version with OQS, but after building and installing everything successfully, i can see that everything works also. But the server ends up being unable to curl, wget, etc, and errors about insufficient randomness: curl: (35) Insufficient randomness

I tried a couple of things to try and fix the entropy but that seems to be a giant hassle.

I wonder if somebody else has had this issue or and clue what could cause it.

I tried it a couple of times on different servers.

I made a small guide for myself to use for the steps, if i do it like this, it results in the issue:

`

- Enable SCTP:

sudo modprobe sctp
sudo sysctl -w net.sctp.auth_enable=1
lsmod | grep sctp

- Set the System.map:

sudo ln -s /boot/System.map-$(uname -r) /lib/modules/$(uname -r)/System.map

- Enable cryptodev engine:

mkdir /root/.cryptodev
cd /root/.cryptodev
git clone https://github.com/cryptodev-linux/cryptodev-linux.git
cd cryptodev-linux

- Compile and install cryptodev:

make -j6
sudo make install
sudo make -C /lib/modules/$(uname -r)/build M=$(pwd) modules_install

- Update module dependencies and load cryptodev module:

sudo depmod -a
sudo modprobe cryptodev

- Verify cryptodev module and device:

lsmod | grep cryptodev
ls -l /dev/crypto

- Create or edit the systemd service unit file to run commands at each boot:

cat <<EOT | sudo tee /etc/systemd/system/custom-commands.service
[Unit]
Description=Custom Commands

[Service]
ExecStart=/bin/bash -c "modprobe sctp && sysctl -w net.sctp.auth_enable=1 && modprobe cryptodev"

[Install]
WantedBy=multi-user.target
EOT

- Enable the service:

sudo systemctl enable custom-commands.service
sudo reboot

- Set Up Directories, Clone OpenSSL, Initialize Submodules and enter folder:

mkdir /root/.OpenSSL
cd /root/.OpenSSL
git clone https://github.com/openssl/openssl.git
cd openssl

- Download and apply the custom patch to add the extra CHACHA20-POLY1305 256-bits ciphers:

cd /root/.OpenSSL/openssl
curl -O https://raw.githubusercontent.com/EverybodyGetsHurt/OpenSSL-3.x.x-dev-OpenSSL-1.1.1x-chacha20-poly1305_draft/master/OpenSSL-3.4.0-dev_chacha20-poly1305_draft.patch
sudo patch -p1 < OpenSSL-3.4.0-dev_chacha20-poly1305_draft.patch

- Configurate a FULL installation for 3.4.0-dev

./config \
--prefix=/usr/local/Gorefest-3.4.0 \
--openssldir=/usr/local/Gorefest-3.4.0/ssl \
--libdir=/usr/local/Gorefest-3.4.0/lib \
--banner="Gorefest-3.4.0" \
-DHAVE_CRYPTODEV -DUSE_CRYPTODEV_DIGESTS \
-DWITH_LZO -DWITH_BZIP2 -DWITH_BROTLI -DWITH_ZSTD \
-DASYNC_ENABLE -DOPENSSL_USE_TLS1_3 -DOPENSSL_USE_AESNI -DOPENSSL_ENABLE_MD5_SHA1 -DOPENSSL_USE_AESNI -DOPENSSL_USE_GCM_CRYPTO \
enable-shared enable-pinshared enable-heartbeats \
enable-pic enable-err enable-stdio enable-fips \
enable-idea enable-seed enable-scrypt enable-rdrand \
enable-zlib enable-zlib-dynamic enable-threads \
enable-brotli enable-brotli-dynamic enable-ktls \
enable-engine enable-dynamic-engine enable-nextprotoneg \
enable-capieng enable-afalgeng enable-devcryptoeng \
enable-posix-io enable-sock enable-async enable-zstd \
enable-buildtest-c++ enable-unit-test enable-acvp-tests \
enable-external-tests enable-tests enable-trace \
enable-deprecated enable-filenames enable-zstd-dynamic \
enable-multiblock enable-makedepend enable-uplink \
enable-autoalginit enable-autoerrinit enable-autoload-config \
enable-bf enable-cast enable-ssl enable-ssl-trace \
enable-cms enable-comp enable-ocb enable-asm enable-egd \
enable-ct enable-ocsp enable-ec_nistp_64_gcc_128 \
enable-srp enable-sse2 enable-psk enable-rfc3779 \
enable-weak-ssl-ciphers enable-ssl3 enable-ssl3-method \
enable-dtls enable-ec2m enable-dtls1 enable-dtls1_2-method \
enable-camellia enable-chacha enable-poly1305 \
enable-ec enable-ecdh enable-ecdsa enable-whirlpool \
enable-rmd160 enable-aria enable-blake2 enable-tfo \
enable-des enable-dh enable-dsa enable-dso enable-ts \
enable-srtp enable-dgram enable-cmac enable-siphash \
enable-md2 enable-md4 enable-mdc2 enable-rc2 enable-rc4 \
enable-rc5 enable-sm2 enable-sm3 enable-sm4 enable-legacy \
enable-secure-memory enable-loadereng enable-padlockeng \
enable-bulk enable-cached-fetch enable-http enable-ecx \
enable-thread-pool enable-default-thread-pool \
enable-crypto-mdebug enable-crypto-mdebug-backtrace \
enable-sctp

- Make everything:

sudo make all -j12

- Run a test:

sudo make test

- Install the build:

sudo make install

- Set the directories for your custom location:

echo 'export PATH=/usr/local/Gorefest-3.4.0/bin:/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin:$PATH' >> ~/.bashrc
echo 'export LD_LIBRARY_PATH=/usr/local/Gorefest-3.4.0/lib:$LD_LIBRARY_PATH' >> ~/.bashrc
echo 'export PERL5LIB=$PERL5LIB:/root/.OpenSSL/openssl/util/perl' >> ~/.bashrc
echo 'export SRCTOP=/root/.OpenSSL/openssl' >> ~/.bashrc
echo 'export BLDTOP=/root/.OpenSSL/openssl' >> ~/.bashrc
source ~/.bashrc

- Check if you are using your new installation:

openssl version -a -v

- Reboot the server:

sudo reboot

- Clone and Build liboqs:

mkdir /root/.OpenSSL
cd /root/.OpenSSL
git clone https://github.com/open-quantum-safe/liboqs.git
cd liboqs

- Fix for the malloc error

sed -i 's/malloc(strlen(method_name) + strlen(".sk"))/malloc(strlen(method_name) + strlen(".sk") + 1)/' /root/.OpenSSL/liboqs/tests/example_sig_stfl.c

- Configure and build liboqs:

cmake -DCMAKE_INSTALL_PREFIX=$(pwd)/../.local -S . -B _build
cmake --build _build
cmake --install _build
cd ..

- Clone and Build the OQS Provider:

- Clone the OQS provider repository:

cd /root/.OpenSSL
git clone https://github.com/open-quantum-safe/oqs-provider.git
cd oqs-provider

- Configure the build to use static linking:

cmake -DOPENSSL_ROOT_DIR=/usr/local/Gorefest-3.4.0 \
      -DCMAKE_PREFIX_PATH="/usr/local/Gorefest-3.4.0;/root/.OpenSSL/.local" \
      -Dliboqs_DIR=/root/.OpenSSL/.local/lib/cmake/liboqs \
      -DBUILD_SHARED_LIBS=OFF -S . -B _build

- Build the OQS provider:

cmake --build _build

- Run the tests to ensure everything is set up correctly:

(cd _build; ctest)
cd ..	

- Ensure that the OQS provider is in a directory where OpenSSL can find it.

- Copy the OQS provider shared library to your custom OpenSSL library directory:

mkdir -p /usr/local/Gorefest-3.4.0/lib/ossl-modules
mv /root/.OpenSSL/oqs-provider/_build/lib/oqsprovider.so /usr/local/Gorefest-3.4.0/lib/ossl-modules/
export OPENSSL_MODULES=/usr/local/Gorefest-3.4.0/lib/ossl-modules

- Create or edit your OpenSSL configuration file (e.g., /usr/local/Gorefest-3.4.0/ssl/openssl.cnf) to include the OQS provider and Activate it:

cat <<EOT | sudo tee /usr/local/Gorefest-3.4.0/ssl/openssl.cnf
openssl_conf = openssl_init

[openssl_init]
providers = provider_sect

[provider_sect]
oqsprovider = oqsprovider_sect

[oqsprovider_sect]
activate = 1
EOT

- Run the following command to verify that the OQS provider is recognized by your custom OpenSSL installation:

openssl list -signature-algorithms -provider oqsprovider
`

[baentsch]

Please check the USAGE file:

Note: Be sure to always activate either the "default" or "fips" provider as these deliver functionality also needed by oqsprovider (e.g., for hashing or high quality random data during key generation).

-> By disabling either (read: both) std provider of OpenSSL you disable the sole source of randomness for the system.

[EverybodyGetsHurt]

Thanks for the quick reply!
I will check that, I was not aware.

[baentsch]

UW. Hope you're OK I changed the title of the question such that others with the same problem may find this answer too (?)

[EverybodyGetsHurt]

Absolutely, makes it useful for future references.
Thanks again.

[EverybodyGetsHurt]

For future reference.

What @baentsch said, means the following:

THIS IS WRONG:

cat <<EOT | sudo tee /usr/local/Gorefest-3.4.0/ssl/openssl.cnf
openssl_conf = openssl_init

[openssl_init]
providers = provider_sect

[provider_sect]
oqsprovider = oqsprovider_sect

[oqsprovider_sect]
activate = 1
EOT

THE CORRECT COMMAND SHOULD BE:

cat <<EOT | sudo tee /usr/local/Gorefest-3.4.0/ssl/openssl.cnf
openssl_conf = openssl_init

[openssl_init]
providers = provider_sect

[provider_sect]
default = default_sect
oqsprovider = oqsprovider_sect

[default_sect]
activate = 1

[oqsprovider_sect]
activate = 1
EOT

This solved the issue.

[baentsch]

Thanks for the explicit correction @EverybodyGetsHurt to help "posterity": Very kind to present and future community.

May I ask whether this is part of a possibly more generally interesting OQS integration? We're always looking for things like this in the oqs-demos project for others to get a "head start" with integrations: Please consider contributing there if you feel your work may be of interest to more folks!