Latest idea to force usage of custom engine
Frederick Gotham
cauldwell.thomas at gmail.com
Wed Nov 6 16:08:09 UTC 2019
I have abandoned my old idea of trying to get libOpenSSL to always read my
engine info from the config file (/etc/ssl/openssl.cnf).
Instead I'm going to try to manually load my own engine in the source code
for libOpenSSL.
I have created a new function in "rand_lib.c" as follows:
static void Do_Whatever_Needs_Done_For_TPM2(void)
{
CRYPTO_THREAD_write_lock(rand_meth_lock);
{
/* Initialize the dynamic engine loader */
ENGINE_load_dynamic();
ENGINE *tpm2_engine;
/* If the first fails, try the second one */
(tpm2_engine = ENGINE_by_id("tpm2tss")) || (tpm2_engine =
ENGINE_by_id("libtpm2tss"));
if ( NULL == tpm2_engine )
{
assert( 0 == "Do_Whatever_Needs_Done_For_TPM2: tpm2
_engine == NULL" );
abort();
}
int init_res = ENGINE_init(tpm2_engine);
if ( !init_res )
{
assert( 0 == "Do_Whatever_Needs_Done_For_TPM2: init_res
== 0" );
abort();
}
RAND_METHOD const *const p_rm = ENGINE_get_RAND(tpm2_engine);
if ( NULL == p_rm )
{
assert( 0 == "Do_Whatever_Needs_Done_For_TPM2: p_rm ==
NULL" );
abort();
}
funct_ref = tpm2_engine;
default_RAND_meth = p_rm;
rand_meth = *default_RAND_meth; /* Even set the Drbg func
pointers */
}
CRYPTO_THREAD_unlock(rand_meth_lock);
}
And then the next thing I've done is added the following code to the start
of "RAND_get_rand_method":
const RAND_METHOD *RAND_get_rand_method(void)
{
static int first_time_for_entire_process = 1;
if ( first_time_for_entire_process )
{
first_time_for_entire_process = 0;
Do_Whatever_Needs_Done_For_TPM2();
}
/* The rest of the function goes here */
}
I'm testing it now but it still seems that something isn't right.
I'm going to keep at this until every process (including ssh-keygen) is
using my custom engine for random numbers.
More information about the openssl-users
mailing list