Force the use of engine in config file

classic Classic list List threaded Threaded
6 messages Options
Reply | Threaded
Open this post in threaded view
|

Force the use of engine in config file

Frederick Gotham
I have a config file, "/etc/ssl/openssl.cnf". This config file gives the
details of an engine to use for random number generation. I know that this
config file is well-formed because I have confirmed that it uses my engine
when I try to use the "openssl" utility at the command line to generate a
random number.

I have been able to determine though that some other programs which link
with "libssl.so" are NOT using my engine.

Since I already know that my
config file is well-formed, I can only conclude that these other programs
are initialising the OpenSSL library as follows:

    OPENSSL_noconfig();

So in order to make sure that every program that links with "libssl.so"
actually uses my engine, I think I need to go into the OpenSSL source code and
replace the OPENSSL_noconfig function like this:

int OPENSSL_config(void)
{
    return OPENSSL_config();
}

Can anyone think of any other ideas to ensure that "libssl.so" always uses
the engine specified in the config file?
Reply | Threaded
Open this post in threaded view
|

Force the use of engine in config file

Frederick Gotham
>> int OPENSSL_config(void)
>> {
>>     return OPENSSL_config();
>> }

That first line should be:

    int OPENSSL_noconfig(void)
Reply | Threaded
Open this post in threaded view
|

Re: Force the use of engine in config file

OpenSSL - User mailing list

If you are changing openssl, why not just change the init function to load your engine and abort/exit/fail if it doesn’t load?

 

Reply | Threaded
Open this post in threaded view
|

Re: Force the use of engine in config file

Frederick Gotham

Since I already have a well-formed config file, I think it would be a minimalistic change to hijack the "OPENSSL_noconfig" function (instead of changing the code for Init).

But your idea could work too. Even if I do implement your idea though, I will still remove the random number generation routines in drbg_lib.c, as there should not be any software psudeorandomness generator on my embedded device.



On Saturday, November 2, 2019, Salz, Rich <[hidden email]> wrote:

If you are changing openssl, why not just change the init function to load your engine and abort/exit/fail if it doesn’t load?

 

Reply | Threaded
Open this post in threaded view
|

Re: Force the use of engine in config file

Frederick Gotham
In reply to this post by Frederick Gotham

Okay first I'll show the changes that I've made to the source code and
build setup for "libopenssl".

I have added two compiler flags:  OPENSSL_NO_RDRAND, OPENSSL_LOAD_CONFIG

Not that the following compiler flag is NOT set:
OPENSSL_NO_AUTOLOAD_CONFIG

And here are the source code changes:

(1) File: ssl_init.c
    Purpose of Alteration: Clear the option flag bit for not loadind conf
    Alteration: In the function "OPENSSL_init_ssl", insert the following
line at the beginning of the function:

    opts &= ~(uint64_t)OPENSSL_INIT_NO_LOAD_CONFIG;  /* Clear the bit for
not loading TPM2 engine */

(2) File: drbg_lib.c
    Purpose of Alteration: Make a log of all uses of the built-in
generator
    Alteration: Rename the function definition "drbg_bytes" to
"drbg_bytes_REAL", and then append the following to the end of the file:

#include <sys/file.h>

static int drbg_bytes(unsigned char *out, int count)
{
        int const retval = drbg_bytes_REAL(out, count);  /* I renamed the
real function */
       
        int const fd_lock = open("/tmp/locker_for_randomness_log", O_CREAT);

        flock(fd_lock, LOCK_EX);

        {
                FILE *const pfile = fopen("/var/log/bad_randomness.log", "a");

                if ( NULL != pfile )
                {
                        time_t ltime;
                        struct tm result;
                        char stime[32];

                        ltime = time(NULL);
                        localtime_r(&ltime, &result);
                        asctime_r(&result, stime);
                        stime[ strlen(stime) - 1 ] = ' ';  /* Get rid of newline
char at the end */
                        fprintf(pfile, "%s - - - %u bytes\n", stime, (unsigned)
count);
                        fclose(pfile);
                }
        }

        flock(fd_lock, LOCK_UN);
       
        return retval;
}


I have reconfigured and rebuilt "libopenssl", and so I boot up my device
and then I run the following command:

    tail -F /var/log/bad_randomness.log

This file shouldn't exist if the built-in generator is never used -- but
some how, some way, even with all the changes I've made above, at least
one of the running processes that links with "libssl.so" is NOT using the
engine I specify in the config file "/etc/ssl/openssl.cnf". Looking at the
output from the 'tail' command above, it's requesting 16 bytes of random
data every 6 seconds. Here's the repeated line:

    Mon Nov 04 12:41:06 2019  - - - 16 bytes

Here's how I get a list of all the procesess currently using "libssl.so":

    grep libssl /proc/*/maps | cut -d ':' -f 1 | cut -d '/' -f 3 | uniq |
xargs -n1 -i ls -l /proc/{}/exe

And there's the output I'm getting:

lrwxrwxrwx    1 root     root             0 Feb 16 02:54 /proc/1622/exe ->
/usr/sbin/lighttpd
lrwxrwxrwx    1 root     root             0 Feb 16 02:54 /proc/1681/exe ->
/opt/prodanko/bin/callar_plugin

So this means that one of these two progams is some how managing to load
up the 'libopenssl' library and get it to use its internal random number
generator. I wonder if this is being achieved with explicit library calls
to functions such as "OPENSSL_add_all_algorithms_noconf"?

I suppose I could also add a stack trace to my log file to try figure out
which process is requesting those 16 bytes every 6 seconds.

And idead on what to try next?

Reply | Threaded
Open this post in threaded view
|

Re: Force the use of engine in config file

Frederick Gotham
 
> Okay first I'll show the changes that I've made to the source code and
> build setup for "libopenssl".


I added one more change, I added to the beginning of the function
"OPENSSL_init_crypto" these two lines:

        opts &= ~(uint64_t)OPENSSL_INIT_NO_LOAD_CONFIG;
        opts |= OPENSSL_INIT_LOAD_CONFIG;


I think that this might finally have made **every** process load the
libssl.so library and use the engine I specify.

Unfortunately though, when my device boots up, it doesn't get past this
point:

    random: crng init done
    random: 7 urandom warning(s) missed due to ratelimiting

It freezes at that point. . . I don't know what it's doing (if anything) in
the background.

The machine isn't **totally** frozen though, because when I plug in a USB
stick, I get:

    usb 1-6: new high-speed USB device number 6 using xhci_hcd