I have a config file, "/etc/ssl/openssl.cnf". This config file gives the
details of an engine to use for random number generation. I know that this
config file is well-formed because I have confirmed that it uses my engine
when I try to use the "openssl" utility at the command line to generate a
I have been able to determine though that some other programs which link
with "libssl.so" are NOT using my engine.
Since I already know that my
config file is well-formed, I can only conclude that these other programs
are initialising the OpenSSL library as follows:
So in order to make sure that every program that links with "libssl.so"
actually uses my engine, I think I need to go into the OpenSSL source code and
replace the OPENSSL_noconfig function like this:
Can anyone think of any other ideas to ensure that "libssl.so" always uses
the engine specified in the config file?
Since I already have a well-formed config file, I think it would be a minimalistic change to hijack the "OPENSSL_noconfig" function (instead of changing the code for Init).
But your idea could work too. Even if I do implement your idea though, I will still remove the random number generation routines in drbg_lib.c, as there should not be any software psudeorandomness generator on my embedded device.
Okay first I'll show the changes that I've made to the source code and
build setup for "libopenssl".
I have added two compiler flags: OPENSSL_NO_RDRAND, OPENSSL_LOAD_CONFIG
Not that the following compiler flag is NOT set:
And here are the source code changes:
(1) File: ssl_init.c
Purpose of Alteration: Clear the option flag bit for not loadind conf
Alteration: In the function "OPENSSL_init_ssl", insert the following
line at the beginning of the function:
opts &= ~(uint64_t)OPENSSL_INIT_NO_LOAD_CONFIG; /* Clear the bit for
not loading TPM2 engine */
(2) File: drbg_lib.c
Purpose of Alteration: Make a log of all uses of the built-in
Alteration: Rename the function definition "drbg_bytes" to
"drbg_bytes_REAL", and then append the following to the end of the file:
static int drbg_bytes(unsigned char *out, int count)
int const retval = drbg_bytes_REAL(out, count); /* I renamed the
real function */
int const fd_lock = open("/tmp/locker_for_randomness_log", O_CREAT);
ltime = time(NULL);
stime[ strlen(stime) - 1 ] = ' '; /* Get rid of newline
char at the end */
fprintf(pfile, "%s - - - %u bytes\n", stime, (unsigned)
I have reconfigured and rebuilt "libopenssl", and so I boot up my device
and then I run the following command:
tail -F /var/log/bad_randomness.log
This file shouldn't exist if the built-in generator is never used -- but
some how, some way, even with all the changes I've made above, at least
one of the running processes that links with "libssl.so" is NOT using the
engine I specify in the config file "/etc/ssl/openssl.cnf". Looking at the
output from the 'tail' command above, it's requesting 16 bytes of random
data every 6 seconds. Here's the repeated line:
Mon Nov 04 12:41:06 2019 - - - 16 bytes
Here's how I get a list of all the procesess currently using "libssl.so":
So this means that one of these two progams is some how managing to load
up the 'libopenssl' library and get it to use its internal random number
generator. I wonder if this is being achieved with explicit library calls
to functions such as "OPENSSL_add_all_algorithms_noconf"?
I suppose I could also add a stack trace to my log file to try figure out
which process is requesting those 16 bytes every 6 seconds.