Force the use of engine in config file

Frederick Gotham cauldwell.thomas at gmail.com
Mon Nov 4 12:49:41 UTC 2019


Okay first I'll show the changes that I've made to the source code and 
build setup for "libopenssl".

I have added two compiler flags:  OPENSSL_NO_RDRAND, OPENSSL_LOAD_CONFIG

Not that the following compiler flag is NOT set: 
OPENSSL_NO_AUTOLOAD_CONFIG

And here are the source code changes:

(1) File: ssl_init.c
    Purpose of Alteration: Clear the option flag bit for not loadind conf
    Alteration: In the function "OPENSSL_init_ssl", insert the following 
line at the beginning of the function:

    opts &= ~(uint64_t)OPENSSL_INIT_NO_LOAD_CONFIG;  /* Clear the bit for 
not loading TPM2 engine */

(2) File: drbg_lib.c
    Purpose of Alteration: Make a log of all uses of the built-in 
generator
    Alteration: Rename the function definition "drbg_bytes" to 
"drbg_bytes_REAL", and then append the following to the end of the file:

#include <sys/file.h>

static int drbg_bytes(unsigned char *out, int count)
{
	int const retval = drbg_bytes_REAL(out, count);  /* I renamed the 
real function */
	
	int const fd_lock = open("/tmp/locker_for_randomness_log", O_CREAT);

	flock(fd_lock, LOCK_EX);

	{
		FILE *const pfile = fopen("/var/log/bad_randomness.log", "a");

		if ( NULL != pfile )
		{ 
			time_t ltime;
			struct tm result;
			char stime[32];

			ltime = time(NULL);
			localtime_r(&ltime, &result);
			asctime_r(&result, stime);
			stime[ strlen(stime) - 1 ] = ' ';  /* Get rid of newline 
char at the end */
			fprintf(pfile, "%s - - - %u bytes\n", stime, (unsigned)
count);
			fclose(pfile);
		}		
	}

	flock(fd_lock, LOCK_UN);
	
	return retval;
}


I have reconfigured and rebuilt "libopenssl", and so I boot up my device 
and then I run the following command:

    tail -F /var/log/bad_randomness.log

This file shouldn't exist if the built-in generator is never used -- but 
some how, some way, even with all the changes I've made above, at least 
one of the running processes that links with "libssl.so" is NOT using the 
engine I specify in the config file "/etc/ssl/openssl.cnf". Looking at the 
output from the 'tail' command above, it's requesting 16 bytes of random 
data every 6 seconds. Here's the repeated line:

    Mon Nov 04 12:41:06 2019  - - - 16 bytes

Here's how I get a list of all the procesess currently using "libssl.so":

    grep libssl /proc/*/maps | cut -d ':' -f 1 | cut -d '/' -f 3 | uniq | 
xargs -n1 -i ls -l /proc/{}/exe

And there's the output I'm getting:

lrwxrwxrwx    1 root     root             0 Feb 16 02:54 /proc/1622/exe -> 
/usr/sbin/lighttpd
lrwxrwxrwx    1 root     root             0 Feb 16 02:54 /proc/1681/exe -> 
/opt/prodanko/bin/callar_plugin

So this means that one of these two progams is some how managing to load 
up the 'libopenssl' library and get it to use its internal random number 
generator. I wonder if this is being achieved with explicit library calls 
to functions such as "OPENSSL_add_all_algorithms_noconf"?

I suppose I could also add a stack trace to my log file to try figure out 
which process is requesting those 16 bytes every 6 seconds.

And idead on what to try next?



More information about the openssl-users mailing list