Okay first I'll show the changes that I've made to the source code and
build setup for "libopenssl".
I have added two compiler flags: OPENSSL_NO_RDRAND, OPENSSL_LOAD_CONFIG
Not that the following compiler flag is NOT set:
OPENSSL_NO_AUTOLOAD_CONFIG
And here are the source code changes:
(1) File: ssl_init.c
Purpose of Alteration: Clear the option flag bit for not loadind conf
Alteration: In the function "OPENSSL_init_ssl", insert the following
line at the beginning of the function:
opts &= ~(uint64_t)OPENSSL_INIT_NO_LOAD_CONFIG; /* Clear the bit for
not loading TPM2 engine */
(2) File: drbg_lib.c
Purpose of Alteration: Make a log of all uses of the built-in
generator
Alteration: Rename the function definition "drbg_bytes" to
"drbg_bytes_REAL", and then append the following to the end of the file:
#include <sys/file.h>
static int drbg_bytes(unsigned char *out, int count)
{
int const retval = drbg_bytes_REAL(out, count); /* I renamed the
real function */
int const fd_lock = open("/tmp/locker_for_randomness_log", O_CREAT);
flock(fd_lock, LOCK_EX);
{
FILE *const pfile = fopen("/var/log/bad_randomness.log", "a");
if ( NULL != pfile )
{
time_t ltime;
struct tm result;
char stime[32];
ltime = time(NULL);
localtime_r(<ime, &result);
asctime_r(&result, stime);
stime[ strlen(stime) - 1 ] = ' '; /* Get rid of newline
char at the end */
fprintf(pfile, "%s - - - %u bytes\n", stime, (unsigned)
count);
fclose(pfile);
}
}
flock(fd_lock, LOCK_UN);
return retval;
}
I have reconfigured and rebuilt "libopenssl", and so I boot up my device
and then I run the following command:
tail -F /var/log/bad_randomness.log
This file shouldn't exist if the built-in generator is never used -- but
some how, some way, even with all the changes I've made above, at least
one of the running processes that links with "libssl.so" is NOT using the
engine I specify in the config file "/etc/ssl/openssl.cnf". Looking at the
output from the 'tail' command above, it's requesting 16 bytes of random
data every 6 seconds. Here's the repeated line:
Mon Nov 04 12:41:06 2019 - - - 16 bytes
Here's how I get a list of all the procesess currently using "libssl.so":
grep libssl /proc/*/maps | cut -d ':' -f 1 | cut -d '/' -f 3 | uniq |
xargs -n1 -i ls -l /proc/{}/exe
And there's the output I'm getting:
lrwxrwxrwx 1 root root 0 Feb 16 02:54 /proc/1622/exe ->
/usr/sbin/lighttpd
lrwxrwxrwx 1 root root 0 Feb 16 02:54 /proc/1681/exe ->
/opt/prodanko/bin/callar_plugin
So this means that one of these two progams is some how managing to load
up the 'libopenssl' library and get it to use its internal random number
generator. I wonder if this is being achieved with explicit library calls
to functions such as "OPENSSL_add_all_algorithms_noconf"?
I suppose I could also add a stack trace to my log file to try figure out
which process is requesting those 16 bytes every 6 seconds.
And idead on what to try next?
