Remove All Software Generators

classic Classic list List threaded Threaded
21 messages Options
12
Reply | Threaded
Open this post in threaded view
|

Remove All Software Generators

Frederick Gotham

I'm working on Linux with a x86-64 CPU.

I have a TPM2 chip, and so I want OpenSSL to do all of its encryption
and random number generation through the TPM2 chip.

In the event that the chip fails, I do NOT want there to be a backup
system. I do NOT want any kind of software psuedorandom number generator
nor any software encryption routines.

The engine that I'm using for OpenSSL is "libtpm2tss.so". This engine
library requires two more libraries, "libtss2-tcti-device.so" and
"libtss2-tcti-mssim.so". (The former is for using the TPM2 chip, whereas
the latter is a software simulator).

As I don't want to have a simulator, I tried simply deleting the
simulator library, but this caused linkage problems for the mother
engine library. As an alternative, I made a new dummy library in which
all of the functions return an error value, and I put this dummy library
in the place of the simulator. This transplant went fine.

It appears that OpenSSL will kick and scream and refuse to die not
matter how hard you hit it. If I try to generate a random number like
this:

    openssl rand -hex 8

Then it seems it will try in this order:

1) The TPM2 chip
2) The software simulator of the TPM2 chip
3) The built-in RDRAND number
4) Another one that I can't find

I have recompiled OpenSSL with the flag OPENSSL_NO_RDRAND to get rid of
the in-built engine. I have even done "rm /dev/random" and "rm
/dev/urandom", but SOME HOW, SOME WAY, I'm still getting output when I
run openssl rand -hex 8.

How on earth to get OpenSSL to simply give up? I simply cannot have it
use anything other than my TPM2 chip.

Frederick


Reply | Threaded
Open this post in threaded view
|

Re: Remove All Software Generators

Dmitry Belyavsky-3
Did you try to create your own RAND_METHOD and set it as default on loading the engine?

On Wed, Oct 30, 2019 at 5:40 PM Frederick Gotham <[hidden email]> wrote:

I'm working on Linux with a x86-64 CPU.

I have a TPM2 chip, and so I want OpenSSL to do all of its encryption
and random number generation through the TPM2 chip.

In the event that the chip fails, I do NOT want there to be a backup
system. I do NOT want any kind of software psuedorandom number generator
nor any software encryption routines.

The engine that I'm using for OpenSSL is "libtpm2tss.so". This engine
library requires two more libraries, "libtss2-tcti-device.so" and
"libtss2-tcti-mssim.so". (The former is for using the TPM2 chip, whereas
the latter is a software simulator).

As I don't want to have a simulator, I tried simply deleting the
simulator library, but this caused linkage problems for the mother
engine library. As an alternative, I made a new dummy library in which
all of the functions return an error value, and I put this dummy library
in the place of the simulator. This transplant went fine.

It appears that OpenSSL will kick and scream and refuse to die not
matter how hard you hit it. If I try to generate a random number like
this:

    openssl rand -hex 8

Then it seems it will try in this order:

1) The TPM2 chip
2) The software simulator of the TPM2 chip
3) The built-in RDRAND number
4) Another one that I can't find

I have recompiled OpenSSL with the flag OPENSSL_NO_RDRAND to get rid of
the in-built engine. I have even done "rm /dev/random" and "rm
/dev/urandom", but SOME HOW, SOME WAY, I'm still getting output when I
run openssl rand -hex 8.

How on earth to get OpenSSL to simply give up? I simply cannot have it
use anything other than my TPM2 chip.

Frederick




--
SY, Dmitry Belyavsky
Reply | Threaded
Open this post in threaded view
|

Re: Remove All Software Generators

Frederick Gotham
Dmitry Belyavsky wrote:

> Did you try to create your own RAND_METHOD and set it as default on
> loading the engine?


No, I didn't try that.

Note that I'm only using the OpenSSL binary, I'm not interfacing with an
API.


Reply | Threaded
Open this post in threaded view
|

Re: Remove All Software Generators

Dmitry Belyavsky-3

On Wed, Oct 30, 2019 at 6:00 PM Frederick Gotham <[hidden email]> wrote:
Dmitry Belyavsky wrote:

> Did you try to create your own RAND_METHOD and set it as default on
> loading the engine?


No, I didn't try that.

Note that I'm only using the OpenSSL binary, I'm not interfacing with an
API.

It can be done via the engine code and config. 


--
SY, Dmitry Belyavsky
Reply | Threaded
Open this post in threaded view
|

Re: Remove All Software Generators

Frederick Gotham
Dmitry Belyavsky <[hidden email]> wrote:


>> It can be done via the engine code and config.


Do you mean

/etc/ssl/openssl.cnf

?


Reply | Threaded
Open this post in threaded view
|

Re: Remove All Software Generators

Dmitry Belyavsky-3


On Wed, Oct 30, 2019 at 6:08 PM Frederick Gotham <[hidden email]> wrote:
Dmitry Belyavsky <[hidden email]> wrote:


>> It can be done via the engine code and config.


Do you mean

/etc/ssl/openssl.cnf

?
Yes, or any custom. 
But the engine must provide the RAND_METHOD and set it as default. 


--
SY, Dmitry Belyavsky
Reply | Threaded
Open this post in threaded view
|

Re: Remove All Software Generators

Frederick Gotham
Dmitry Belyavsky <[hidden email]> wrote

>> /etc/ssl/openssl.cnf
>
> Yes, or any custom.
> But the engine must provide the RAND_METHOD and set it as default.
>
>



But if my TPM2 engine fails to load, then OpenSSL will just use the
'rdrand' engine.

So my defense agains this is to rebuild OpenSSL with the flag
OPENSSL_NO_RDRAND.

After I rebuild OpenSSL, I can then remove my TPM2 engine so that there's
no engine at all.

I tried running OpenSSL at my commandline just now, and here's what I got:

~# openssl
OpenSSL> engine
(dynamic) Dynamic engine loading support
OpenSSL> rand -hex 10
f49ca711e3056cf9064a
OpenSSL>


Where is it it getting that random data from ? ? ? There's no engine and
yet it can still get a random number! I even tried deleting /dev/random and
/dev/urandom, but it somehow is still getting random data from somewhere!
But where?



Reply | Threaded
Open this post in threaded view
|

Re: Remove All Software Generators

Dmitry Belyavsky-3


On Wed, Oct 30, 2019 at 6:20 PM Frederick Gotham <[hidden email]> wrote:
Dmitry Belyavsky <[hidden email]> wrote

>> /etc/ssl/openssl.cnf
>
> Yes, or any custom.
> But the engine must provide the RAND_METHOD and set it as default.
>
>



But if my TPM2 engine fails to load, then OpenSSL will just use the
'rdrand' engine.

So my defense agains this is to rebuild OpenSSL with the flag
OPENSSL_NO_RDRAND.

It means that you've disabled the RDRAND engine.
 
After I rebuild OpenSSL, I can then remove my TPM2 engine so that there's
no engine at all.

I tried running OpenSSL at my commandline just now, and here's what I got:

~# openssl
OpenSSL> engine
(dynamic) Dynamic engine loading support
OpenSSL> rand -hex 10
f49ca711e3056cf9064a
OpenSSL>


Where is it it getting that random data from ? ? ? There's no engine and
yet it can still get a random number! I even tried deleting /dev/random and
/dev/urandom, but it somehow is still getting random data from somewhere!
But where?



You still have the OpenSSL built-in RNG. 


--
SY, Dmitry Belyavsky
Reply | Threaded
Open this post in threaded view
|

Re: Remove All Software Generators

Frederick Gotham
Dmitry Belyavsky <[hidden email]> wrote:

>> You still have the OpenSSL built-in RNG.



Is there a simple compiler flag to remove this?

Or do I need to go into the source code and stick a "return -1;" somewhere?

Reply | Threaded
Open this post in threaded view
|

Re: Remove All Software Generators

Dmitry Belyavsky-3

On Wed, Oct 30, 2019 at 6:39 PM Frederick Gotham <[hidden email]> wrote:
Dmitry Belyavsky <[hidden email]> wrote:

>> You still have the OpenSSL built-in RNG.



Is there a simple compiler flag to remove this?

Or do I need to go into the source code and stick a "return -1;" somewhere?

No. Openssl will not work if you do not provide a valid RAND_METHOD except a very minimal set of operations.

--
SY, Dmitry Belyavsky
Reply | Threaded
Open this post in threaded view
|

Re: Remove All Software Generators

Frederick Gotham
Dmitry Belyavsky <[hidden email]> wrote
in
news:[hidden email]:

> On Wed, Oct 30, 2019 at 6:39 PM Frederick Gotham
> <[hidden email]> wrote:
>
>> Dmitry Belyavsky <[hidden email]>
>> wrote:
>>
>> >> You still have the OpenSSL built-in RNG.
>>
>>
>>
>> Is there a simple compiler flag to remove this?
>>
>> Or do I need to go into the source code and stick a "return -1;"
>> somewhere?
>>
>> No. Openssl will not work if you do not provide a valid RAND_METHOD
>> except
> a very minimal set of operations.
>


So I have to go into the source code and do the following?

int RAND_bytes(unsigned char *buf, int num)
{
    memset(buf,0,num);
    return 1;
}

I can either make this function fail (e.g. call 'abort'), or I can always
make it return 0.

What do you think?

Reply | Threaded
Open this post in threaded view
|

Re: Remove All Software Generators

Dmitry Belyavsky-3

On Wed, Oct 30, 2019 at 6:58 PM Frederick Gotham <[hidden email]> wrote:
Dmitry Belyavsky <[hidden email]> wrote
in
[hidden email]:

> On Wed, Oct 30, 2019 at 6:39 PM Frederick Gotham
> <[hidden email]> wrote:
>
>> Dmitry Belyavsky <[hidden email]>
>> wrote:
>>
>> >> You still have the OpenSSL built-in RNG.
>>
>>
>>
>> Is there a simple compiler flag to remove this?
>>
>> Or do I need to go into the source code and stick a "return -1;"
>> somewhere?
>>
>> No. Openssl will not work if you do not provide a valid RAND_METHOD
>> except
> a very minimal set of operations.
>


So I have to go into the source code and do the following?

int RAND_bytes(unsigned char *buf, int num)
{
    memset(buf,0,num);
    return 1;
}

I can either make this function fail (e.g. call 'abort'), or I can always
make it return 0.

What do you think?

No. It just makes the RNG unsuitable for any purpose but does not help you.

You should do in your engine the following:

Implement the TPM-provided RAND_METHOD in the engine
call ENGINE_set_RAND for RAND method in the engine bind fuction

and write a config file similar to
=========
openssl_conf = openssl_def
[ openssl_def ]
engines = engines_section
[ engines_section ]
cryptocom = my_section

[ my_section ]
engine_id = myengine.so
default_algorithms = RAND
=========

--
SY, Dmitry Belyavsky
Reply | Threaded
Open this post in threaded view
|

Re: Remove All Software Generators

Frederick Gotham
Dmitry Belyavsky <[hidden email]> wrote:

> You should do in your engine the following:


Just so you know, I'm not a developer of the TPM2 engine for OpenSSL.

Of course though I can still go in and edit the code here and there.


> Implement the TPM-provided RAND_METHOD in the engine
> call ENGINE_set_RAND for RAND method in the engine bind fuction
>
> and write a config file similar to
> <snip config file>


Even if I do all that, there is still the possibility that OpenSSL might
use its built-in generator (for example if my library fails to load).

So it seems I must get the built-in generator to either:
1) Always return 0
2) Call 'abort'





Reply | Threaded
Open this post in threaded view
|

Re: Remove All Software Generators

Jochen Bern
In reply to this post by Frederick Gotham
On 10/30/2019 04:19 PM, [hidden email] digested:
> From: Frederick Gotham <[hidden email]>
> To: [hidden email]
>
> I even tried deleting /dev/random and  /dev/urandom

... don't do that. The Linux kernel is both a provider and a consumer of
entropy, e.g., to randomize the TCP sequence numbers as it establishes
TCP connections on behalf of applications. Unless you go all the way and
add a TPM driver (as the only source of entropy) to *the kernel*, you
risk ending up with "good crypto" on the application layer but easily
hijacked connections, defeated stack randomization, SSH logins from
remote that fail, etc. etc..

Kind regards,
--
Jochen Bern
Systemingenieur

E  [hidden email]
W  www.binect.de
Reply | Threaded
Open this post in threaded view
|

Re: Remove All Software Generators

Frederick Gotham
Jochen Bern <[hidden email]> wrote:

> SSH logins from remote that fail


This is my exact problem right now. My device has booted up and I can't SSH
into it.But this doesn't entirely make sense since it should be getting
random numbers from the TPM2 chip anyway.

Reply | Threaded
Open this post in threaded view
|

Re: Remove All Software Generators

Frederick Gotham
Frederick Gotham
<[hidden email]> wrote in
news:XnsAAF8BACC24C3Bfgotham@195.159.176.226:

> Jochen Bern <[hidden email]>
> wrote:
>
>> SSH logins from remote that fail
>
>
> This is my exact problem right now. My device has booted up and I
> can't SSH into it.But this doesn't entirely make sense since it should
> be getting random numbers from the TPM2 chip anyway.
 
 

And anyway this behaviour didn't come from deleting /dev/random, but rather
from making the default generator inside OpenSSL always give 0 for a random
byte.

Reply | Threaded
Open this post in threaded view
|

Re: Remove All Software Generators

Frederick Gotham
Frederick Gotham
<[hidden email]> wrote:
>
> And anyway this behaviour didn't come from deleting /dev/random, but
> rather from making the default generator inside OpenSSL always give 0
> for a random byte.



I will change the random number generator built into OpenSSL to always
return sequential numbers, something like:


{
    static char unsigned val = 0;

    while ( num-- )
        *buff++ = val++;
}

This shouldn't break anything.

Then if ever I am in doubt about where a random number came from, I just
check to see if it's something like 0102030405.

Reply | Threaded
Open this post in threaded view
|

Re: Remove All Software Generators

Frederick Gotham
Frederick Gotham wrote:
>
> I will change the random number generator built into OpenSSL to always
> return sequential numbers, something like:


Here's what I have:

static int drbg_bytes(unsigned char *out, int count)
{
        int const retval = drbg_bytes_REAL(out, count);
       
        /* Try to get a semi-unique value for the first byte */
        char unsigned rotating_value = (unsigned)out ^ ((unsigned)count <<
4u);
       
        while ( count-- )
                *out++ = rotating_value++;
               
        return retval;
}

Reply | Threaded
Open this post in threaded view
|

Re: Remove All Software Generators

Frederick Gotham
Frederick Gotham wrote:


> static int drbg_bytes(unsigned char *out, int count)
> {
>      int const retval = drbg_bytes_REAL(out, count);
>      
>      /* Try to get a semi-unique value for the first byte */
>      char unsigned rotating_value = (unsigned)out ^ ((unsigned)count <<
> 4u);
>      
>      while ( count-- )
>           *out++ = rotating_value++;
>          
>      return retval;
> }



Ugh........ This doesn't work either. It fails to boot up when it tries to
generate keys for SSH.

Next I'll try to make every nibble sequential -- instead of just every byte.

Reply | Threaded
Open this post in threaded view
|

Re: Remove All Software Generators

OpenSSL - User mailing list
In reply to this post by Frederick Gotham
Why not just change things so that if your module fails to load, the library exits?

Don't change the RAND code, change the INIT code.
 

12