Resetting EVP_set_default_properties to avoid usage of tpm provider.

[sumanth797]

Hi,

I'm using tpm2 provider and set the EVP property with tpm2 query for performing CMP IR, after the end of the IR, I don't want to use the provider.

For Performing IR,

**Loading providers: **

#define TPM2_PROVIDER "/usr/lib64/ossl-packages/tpm2.so"
#define TPM_PROP_QUERY "?provider=tpm2,tpm2.digest!=yes"

loadedProvider = OSSL_PROVIDER_load(NULL, TPM2_PROVIDER);
if (!loadedProvider)
{
ERR_print_errors_fp(stderr);
}
if (! EVP_set_default_properties(NULL, TPM_PROP_QUERY))
{
ERR_print_errors_fp(stderr);
}

**Unloading Providers: **
if (loadedProvider != nullptr)
{
OSSL_PROVIDER_unload(loadedProvider);
loadedProvider = nullptr;
}

I don't want to use the providers, even after unloading it, I got the below errors. It is running in same memory context

**These are the errors i got, when i'm not relying on providers: **

RAND GET_CTX_PARAMS [ max_request ]
RAND GENERATE
RAND GET_CTX_PARAMS [ max_request ]
RAND GENERATE
RAND GET_CTX_PARAMS [ strength ]
0017E64D487F0000:error:1C8000BB:Provider routines:get_entropy:parent cannot supply entropy seed:providers/implementations/rands/drbg.c:211:
0017E64D487F0000:error:1C8000BD:Provider routines:ossl_prov_drbg_instantiate:error retrieving entropy:providers/implementations/rands/drbg.c:456:
0017E64D487F0000:error:1200006C:random number generator:rand_new_drbg:error instantiating drbg:crypto/rand/rand_lib.c:607:
0017E64D487F0000:error:02080003:rsa routines:RSA_setup_blinding:BN lib:crypto/rsa/rsa_crpt.c:161:
0017E64D487F0000:error:020C0103:rsa routines:rsa_ossl_private_encrypt:internal error:crypto/rsa/rsa_ossl.c:304:
0017E64D487F0000:error:1C880004:Provider routines:rsa_sign:RSA lib:providers/implementations/signature/rsa_sig.c:588:
0017E64D487F0000:error:06880006:asn1 encoding routines:ASN1_item_sign_ctx:EVP lib:crypto/asn1/a_sign.c:284:
0017E64D487F0000:error:1D0000A3:CMP routines:ossl_cmp_certreq_new:error creating certreq:crypto/cmp/cmp_msg.c:439:

Is there any way to set it back to normal in the same context,
**How to EVP_set_default_properties without any providers, like resetting it without use of any provider? **
What prop query i have to use?
I tried using NULL also, it still throws same error.
EVP_set_default_properties(NULL, NULL);

Thanks in advance.

[nhorman]

can you provide a more complete reproducer example please? Dependent on exactly how you create/manage your context, if you have an allocated instance of a rand object in your context, the provider will still be used, even after unloading it.

[sumanth797]

Thanks for the reply @nhorman.
I'm not setting or creating any rand context,
when I'm trying to read the private key from TPM key handle 0x81010001, I'm using the providers to read it, so i'm using the above lines to load the providers and read the key in EVP_PKEY format.

This is the code; I use to read the private key info from 0x81010001

OSSL_STORE_CTX *ctx;

if (ctx = OSSL_STORE_open("handle:0x81010001", NULL, NULL, NULL, NULL)) {
    while (OSSL_STORE_eof(ctx) == 0) {
        OSSL_STORE_INFO *info = OSSL_STORE_load(ctx);
        if (info && OSSL_STORE_INFO_get_type(info) == OSSL_STORE_INFO_PKEY) {
            EVP_PKEY *pkey = OSSL_STORE_INFO_get1_PKEY(info);

            OSSL_STORE_INFO_free(info);
        }
    }
}

And then, when i fetch the EVP_PKEY *pkey , this is the information it gives,
PROVIDER INIT
providers loaded successfully
DIGEST SHA1 GET_PARAMS [ blocksize size xof algid-absent ]
DIGEST SHA256 GET_PARAMS [ blocksize size xof algid-absent ]
DIGEST SHA384 GET_PARAMS [ blocksize size xof algid-absent ]
tpm private key generation created for 0x81010001 for SUM
STORE/OBJECT OPEN handle:0x81010001
STORE/OBJECT LOAD
STORE/OBJECT LOAD pkey
STORE/OBJECT LOAD found RSA
RSA LOAD
RSA GET_PARAMS [ bits security-bits max-size ]
RSA HAS 1
pkey is not empty
ENCODER tss PrivateKeyInfo/der DOES_SELECTION 0x87
ENCODER tss PrivateKeyInfo/pem DOES_SELECTION 0x87
ENCODER rsa pkcs1/der DOES_SELECTION 0x87
ENCODER rsa pkcs1/der DOES_SELECTION 0x87
ENCODER rsa pkcs1/der DOES_SELECTION 0x87
ENCODER rsa pkcs1/der DOES_SELECTION 0x87
ENCODER rsa pkcs1/pem DOES_SELECTION 0x87
ENCODER rsa pkcs1/pem DOES_SELECTION 0x87
ENCODER rsa pkcs1/pem DOES_SELECTION 0x87
ENCODER rsa pkcs1/pem DOES_SELECTION 0x87
ENCODER rsa SubjectPublicKeyInfo/der DOES_SELECTION 0x87
ENCODER rsa SubjectPublicKeyInfo/der DOES_SELECTION 0x87
ENCODER rsa SubjectPublicKeyInfo/der DOES_SELECTION 0x87
ENCODER rsa SubjectPublicKeyInfo/der DOES_SELECTION 0x87
ENCODER rsa SubjectPublicKeyInfo/pem DOES_SELECTION 0x87
ENCODER rsa SubjectPublicKeyInfo/pem DOES_SELECTION 0x87
ENCODER rsa SubjectPublicKeyInfo/pem DOES_SELECTION 0x87
ENCODER rsa SubjectPublicKeyInfo/pem DOES_SELECTION 0x87
ENCODER tss PrivateKeyInfo/pem ENCODE 0x87
hit
-----BEGIN TSS2 PRIVATE KEY-----
MIIBNgYGZ4EFCgEDoAMBAQACBEAAAAEEggEYARYAAQALAAYAcgAAABAAEAgAAAAA
AAEAvLczqCsIFrukDFgk2Nbm+PWDYyEHYTDV8/OLNp5agNl4zj5QIpcSul4zgBlc
yWjLwFv9qCXMVXCoHov7eADOQYcjAisBfrA+cfU2cj0s3o09Nl1ELGr4IOZO5G0Z
s+H01UWnfnWo1mxbWPZZ56v2OObjNYHQDpSJc1DggTkWv1N6vF4/n0577ASvBDh/
NVrleSLksa5xPhnvyu3f20JS2RfruvZlyuDWX2Gei0/vyWH5ehHK/i4nNmDTanAu
eWITJx0/M904Ms1DxXoX9yIC3wTLGW4H26whYjMGpxRtNX74h3WLvTLOpbcjYbsI
mrFLsSjDqMoaSv0MI0mI054ezQQFAAMBgQA=
-----END TSS2 PRIVATE KEY-----
handle tpm key is fetched

After setting the value to cmp context, CMP IR is performed, this is the info it gives

RAND NEW
RAND NEW
RAND GET_CTX_PARAMS [ max_request ]
RAND GENERATE
RAND GET_CTX_PARAMS [ max_request ]
RAND GENERATE
ENCODER tss PrivateKeyInfo/der DOES_SELECTION 0x86
ENCODER tss PrivateKeyInfo/der DOES_SELECTION 0x86
ENCODER tss PrivateKeyInfo/der DOES_SELECTION 0x86
ENCODER tss PrivateKeyInfo/der DOES_SELECTION 0x86
ENCODER tss PrivateKeyInfo/pem DOES_SELECTION 0x86
ENCODER tss PrivateKeyInfo/pem DOES_SELECTION 0x86
ENCODER tss PrivateKeyInfo/pem DOES_SELECTION 0x86
ENCODER tss PrivateKeyInfo/pem DOES_SELECTION 0x86
ENCODER rsa pkcs1/der DOES_SELECTION 0x86
ENCODER rsa pkcs1/pem DOES_SELECTION 0x86
ENCODER rsa SubjectPublicKeyInfo/der DOES_SELECTION 0x86
ENCODER rsa SubjectPublicKeyInfo/pem DOES_SELECTION 0x86
ENCODER rsa SubjectPublicKeyInfo/der ENCODE 0x86
RSA GET_PARAMS [ default-digest mandatory-digest ]
SIGN DIGEST_INIT rsa MD=SHA2-256
SIGN GET_CTX_PARAMS [ algorithm-id ]
SIGN DIGEST_SIGN estimate
SIGN DIGEST_SIGN
RSA HAS 2
RSA NEW
RSA IMPORT [ n e ]
RSA MATCH 0x6
SIGN DIGEST_INIT rsa MD=SHA256
SIGN GET_CTX_PARAMS [ algorithm-id ]
SIGN DIGEST_SIGN estimate
SIGN DIGEST_SIGN
RSA NEW
RSA IMPORT [ n e ]
SIGN DIGEST_INIT rsa MD=SHA256
SIGN DIGEST_START
SIGN DIGEST_UPDATE
SIGN DIGEST_VERIFY_FINAL
RSA HAS 2
RSA NEW
RSA IMPORT [ n e ]
RSA MATCH 0x6
RAND GET_CTX_PARAMS [ max_request ]
RAND GENERATE
RSA HAS 2
RSA MATCH 0x6
SIGN DIGEST_INIT rsa MD=SHA256
SIGN GET_CTX_PARAMS [ algorithm-id ]
SIGN DIGEST_SIGN estimate
SIGN DIGEST_SIGN
SIGN DIGEST_INIT rsa MD=SHA256
SIGN DIGEST_START
SIGN DIGEST_UPDATE
SIGN DIGEST_VERIFY_FINAL

And then unloading the providers after the IR is finished as part of destructor.

This is the cmp_ctx i'm creating,
**

std::unique_ptr<OSSL_CMP_CTX, decltype(&OSSL_CMP_CTX_free)> cmpCtx(
OSSL_CMP_CTX_new(NULL, NULL), &OSSL_CMP_CTX_free);

**

I'm not creating any RAND_CTX internally, I just loaded and unloaded providers and also setting up the EVP_set_default_properties.. Is there any mechanism to clean up even after unloading the providers? Just to make it back to non provider(no provider).

I'm not using any provider for KUR, and this is running in the same memory location in the mock server. So, after restarting the mock server and perform KUR, it works. If I'm not restarting server KUR keeps on crashing. And the above error logs is seen.

So, in the same server and memory context, how to make it happen?