Latest idea to force usage of custom engine

classic Classic list List threaded Threaded
3 messages Options
Reply | Threaded
Open this post in threaded view
|

Latest idea to force usage of custom engine

Frederick Gotham

I have abandoned my old idea of trying to get libOpenSSL to always read my
engine info from the config file (/etc/ssl/openssl.cnf).

Instead I'm going to try to manually load my own engine in the source code
for libOpenSSL.


I have created a new function in "rand_lib.c" as follows:


static void Do_Whatever_Needs_Done_For_TPM2(void)
{
        CRYPTO_THREAD_write_lock(rand_meth_lock);
        {
                /* Initialize the dynamic engine loader */
                ENGINE_load_dynamic();

                ENGINE *tpm2_engine;
         
                /* If the first fails, try the second one */
                (tpm2_engine = ENGINE_by_id("tpm2tss")) || (tpm2_engine =
ENGINE_by_id("libtpm2tss"));
               
                if ( NULL == tpm2_engine )
                {
                        assert( 0 == "Do_Whatever_Needs_Done_For_TPM2: tpm2
_engine == NULL" );
                        abort();
                }

                int init_res = ENGINE_init(tpm2_engine);
               
                if ( !init_res )
                {
                        assert( 0 == "Do_Whatever_Needs_Done_For_TPM2: init_res
== 0" );
                        abort();
                }
                       
                RAND_METHOD const *const p_rm = ENGINE_get_RAND(tpm2_engine);

                if ( NULL == p_rm )
                {
                        assert( 0 == "Do_Whatever_Needs_Done_For_TPM2: p_rm ==
NULL" );
                        abort();
                }
                       
                funct_ref = tpm2_engine;

                default_RAND_meth = p_rm;
               
                rand_meth = *default_RAND_meth;  /* Even set the Drbg func
pointers */
        }
        CRYPTO_THREAD_unlock(rand_meth_lock);
}



And then the next thing I've done is added the following code to the start
of "RAND_get_rand_method":



const RAND_METHOD *RAND_get_rand_method(void)
{
        static int first_time_for_entire_process = 1;
       
        if ( first_time_for_entire_process )
        {
                first_time_for_entire_process = 0;
                Do_Whatever_Needs_Done_For_TPM2();
        }

    /* The rest of the function goes here */
}


I'm testing it now but it still seems that something isn't right.

I'm going to keep at this until every process (including ssh-keygen) is
using my custom engine for random numbers.

Reply | Threaded
Open this post in threaded view
|

Re: Latest idea to force usage of custom engine

Frederick Gotham
 
> I'm going to keep at this until every process (including ssh-keygen) is
> using my custom engine for random numbers.


Now every process that links with 'libcrypto.so' is segfaulting in
libpthread-2.28.so. Here's the error:

    openssl[1744]: segfault at 18 ip 00007f1798d44930 sp 00007ffcf46bb1b8
error 4 in libpthread-2.28.so[7f1798d38000+1a000]

Here's the totality of the changes I've made. . . I added the following to
"rand_lib.c":


/* =================== The fields in RAND_METHOD ======================
    int (*seed) (const void *buf, int num);
    int (*bytes) (unsigned char *buf, int num);
    void (*cleanup) (void);
    int (*add) (const void *buf, int num, double randomness);
    int (*pseudorand) (unsigned char *buf, int num);
    int (*status) (void);
   ==================================================================== */

#include <assert.h>

static int Supplemented_seed(const void *buf, int num) { (void)buf; (void)
num; return 1; }

static void Supplemented_cleanup(void) { /* Do Nothing */ return; }

static int Supplemented_add(const void *buf, int num, double randomness)
{ (void)buf; (void)num; (void)randomness; return 1; }

static int Supplemented_status(void) { /* Do Nothing */ return 1; }

static CRYPTO_ONCE crypto_once_tpm2_init = CRYPTO_ONCE_STATIC_INIT;

DEFINE_RUN_ONCE_STATIC(Do_Whatever_Needs_Done_For_TPM2)
{
        /* Initialize the dynamic engine loader */
        ENGINE_load_dynamic();

        ENGINE *tpm2_engine;
 
        /* If the first fails, try the second one */
        (tpm2_engine = ENGINE_by_id("tpm2tss")) || (tpm2_engine =
ENGINE_by_id("libtpm2tss"));
       
        if ( NULL == tpm2_engine )
        {
                assert( 0 == "Do_Whatever_Needs_Done_For_TPM2: NULL == tpm2
_engine" );
                abort();
        }

        int const init_res = ENGINE_init(tpm2_engine);
       
        if ( 0 == init_res )
        {
                assert( 0 == "Do_Whatever_Needs_Done_For_TPM2: 0 ==
init_res" );
                abort();
        }
               
        RAND_METHOD const *const p_rm = ENGINE_get_RAND(tpm2_engine);

        if ( NULL == p_rm )
        {
                assert( 0 == "Do_Whatever_Needs_Done_For_TPM2: NULL ==
p_rm" );
                abort();
        }
       
        static RAND_METHOD funcptrs = {
                Supplemented_seed,          /* seed() */
                0, /* bytes() */
                Supplemented_cleanup,       /* cleanup() */
                Supplemented_add,           /* add() */
                0,                /* pseudorand() */
                Supplemented_status                 /* status() */
        };
       
        CRYPTO_THREAD_write_lock(rand_meth_lock);
                funcptrs.bytes = p_rm->bytes;
                funcptrs.pseudorand = p_rm->pseudorand;
                funct_ref = tpm2_engine;
                default_RAND_meth = &funcptrs;
                rand_meth = funcptrs;  /* Even set the Drbg func pointers */
        CRYPTO_THREAD_unlock(rand_meth_lock);
       
        return 0;
}

const RAND_METHOD *RAND_get_rand_method(void)
{
    RUN_ONCE(&crypto_once_tpm2_init,  Do_Whatever_Needs_Done_For_TPM2);


Reply | Threaded
Open this post in threaded view
|

Re: Latest idea to force usage of custom engine

Frederick Gotham
Frederick wrote:
>      
>      CRYPTO_THREAD_write_lock(rand_meth_lock);
>      CRYPTO_THREAD_write_lock(rand_engine_lock);


This is what's causing the segfault in libpthread.so

I can only imagine that the same thread is trying to re-lock a single-lock
mutex. So my code should be something like:


int already_locked_meth = is_already_locked(rand_meth_lock);
int already_locked_engine = is_already_locked(rand_engine_lock);

if (!already_locked_meth)
    CRYPTO_THREAD_write_lock(rand_meth_lock);    

if (!already_locked_engine)
    CRYPTO_THREAD_write_lock(rand_engine_lock);


/* DO STUFF */

if (!already_locked_meth)
    CRYPTO_THREAD_unlock(rand_meth_lock);    

if (!already_locked_engine)
    CRYPTO_THREAD_unlock(rand_engine_lock);