[openssl-users] Help with using a dynamic engine with SSL_CTX

Brian Watson bwats9999 at gmail.com
Fri Dec 12 22:25:58 UTC 2014


Ok, thanks and good to know! I also ran a test as follows:

1. adb shell
2. openssl
3. OpenSSL> engine dynamic –pre
SO_PATH:/system/lib/ssl/engines/libsslengine.so –pre ID:sslengine –pre LOAD
4. OpenSSL> rand -hex 512
5. I checked debug output and default_RAND_method was null which caused it
to be populated when RAND_bytes() called RAND_get_rand_method().
6. OpenSSL> engine dynamic –pre
SO_PATH:/system/lib/ssl/engines/libsslengine.so –pre ID:sslengine –pre LOAD
7. OpenSSL > rand -hex 512
8. I checked debug output and default_RAND_method again and this time it
has something valid and thus doesn't get populated even though a new engine
could have been loaded.

Each time the engine is loaded it calls:
ENGINE_set_RAND() and
ENGINE_set_default() for ENGINE_METHOD_RAND

With the original issue I was trying to get working I have read where
Android preloads classes (some of these use openssl) at startup via
something called Zygote and one of these classes is used by my code. I see
the RNG get populated during startup by a class that's preloaded by Zygote
via some static initialization and then later on my software uses this
class. I think this is how the RNG got populated so soon. I'm just touching
the surface of this and It's just not 100% clear to me how this Zygote
preloading of classes and forking of processes works with regards to the
variables I'm seeing.

I'm going to go the route of calling the RAND_set_rand_method().

Thanks.

On Fri, Dec 12, 2014 at 6:53 AM, Thulasi Goriparthi <
thulasi.goriparthi at gmail.com> wrote:
>
> I had similar trouble a while ago.
>
> I understood that if crypto/ssl application need to use RAND method before
> the intended engine is loaded, default_RAND_method would be populated with
> RAND_SSLeay().
>
> ENGINE_set_RAND wouldn't overwrite this as rand wrappers prefer
> default_RAND_method than engine's default RAND method.
>
> So, One need to explicitly call either
> RAND_set_rand_method(rand_method_pointer) if one can directly access
> engine's rand method or RAND_set_rand_engine(e) where e is preferred
> engine's reference.
>
> Thanks,
> Thulasi.
>
> On 10 December 2014 at 22:05, Brian Watson <bwats9999 at gmail.com> wrote:
>>
>> I checked and ENGINE_set_RAND function is being called. What I can't
>> figure out is the following:
>>
>> 1. RAND_get_rand_method() is called to get the random method and in a
>> normal case default_RAND_METHOD would be null which would cause code to
>> call ENGINE_get_rand() to be called to get the random method for the engine
>> associated for RAND.
>> 2. In my particular case something has already caused default_RAND_METHOD
>> to be populated before I load my engine and the only place I see that it
>> can get reset is via RAND_set_rand_method() which can be called by
>> RAND_cleanup() and ENGINE_cleanup().
>>
>> Any ideas?
>>
>> On Wed, Dec 10, 2014 at 8:25 AM, Brian Watson <bwats9999 at gmail.com>
>> wrote:
>>
>>> I didn't call that one, but I'll give it a try. I also read that if
>>> someone subsequently calls ENGINE_load_builtin_engines()that it'll
>>> reset things back to how they were so I'll look at that also.
>>>
>>> Thanks,
>>>   BW
>>>
>>> On Wed, Dec 10, 2014 at 1:06 AM, Dmitry Belyavsky <beldmit at gmail.com>
>>> wrote:
>>>
>>>> Hello Brian,
>>>>
>>>> Do you call ENGINE_set_RAND function?
>>>>
>>>> On Tue, Dec 9, 2014 at 11:19 PM, Brian Watson <bwats9999 at gmail.com>
>>>> wrote:
>>>>
>>>>> I thought that's what the following does:
>>>>>
>>>>> ENGINE_set_default(engine, ENGINE_METHOD_RAND).
>>>>>
>>>>> I'm also trying to figure out in rand_lib.c and RAND_get_rand_method()
>>>>> what causes default_RAND_meth to change.
>>>>>
>>>>> Thanks,
>>>>>    BW
>>>>>
>>>>> On Tue, Dec 9, 2014 at 1:52 PM, Dmitry Belyavsky <beldmit at gmail.com>
>>>>> wrote:
>>>>>
>>>>>> Hello!
>>>>>>
>>>>>> Do you set your RNG as default when the engine is loaded?
>>>>>>
>>>>>> On Tue, Dec 9, 2014 at 10:44 PM, Brian Watson <bwats9999 at gmail.com>
>>>>>> wrote:
>>>>>>
>>>>>>> Hi,
>>>>>>>    I am doing the following:
>>>>>>>
>>>>>>> 1. I have a dynamic engine that I would like to use to produce
>>>>>>> random numbers on Android (aosp).
>>>>>>> 2. I can successfully load the dynamic engine by using the Android
>>>>>>> OpenSSLEngine.getInstance() which takes care of loading the engine and I
>>>>>>> can see that the binding is there via bind_engine and bind_helper via some
>>>>>>> debug prints that I have put in the engine. I follow this up by calling
>>>>>>> ENGINE_set_default() for ENGINE_METHOD_RAND. I am using the Apache Harmony
>>>>>>> jsse library.
>>>>>>> 3. Some time later there is a call to SSL_CTX_new() which starts the
>>>>>>> process of establishing the TLS session, etc.
>>>>>>> 4. I would like to see my random number generator get invoked to
>>>>>>> provide random numbers when needed, but for some reason the ssleay one is
>>>>>>> being called.
>>>>>>> 5. I can open an adb shell and run the openssl command and
>>>>>>> explicitly load the engine via:
>>>>>>>
>>>>>>> openssl engine dynamic –pre
>>>>>>> SO_PATH:/system/lib/ssl/engines/MyEngine.so –pre ID:myengine –pre LOAD.
>>>>>>> With this I see my random number generator get used, but when I try to do
>>>>>>> this programatically it doesn't get called.
>>>>>>>
>>>>>>>
>>>>>>> I have a couple of questions:
>>>>>>>
>>>>>>>
>>>>>>> 1. Should this work even when using the SSL_CTX... api's?
>>>>>>>
>>>>>>> 2. Am I setting up the engine too soon and then the SSL_CTX..
>>>>>>> commands clear them out?
>>>>>>>
>>>>>>>
>>>>>>> I've looked around a lot so any help would be greatly appreciated!
>>>>>>>
>>>>>>>
>>>>>>> Thanks,
>>>>>>>
>>>>>>>    BW
>>>>>>>
>>>>>>> _______________________________________________
>>>>>>> openssl-users mailing list
>>>>>>> openssl-users at openssl.org
>>>>>>> https://mta.opensslfoundation.net/mailman/listinfo/openssl-users
>>>>>>>
>>>>>>>
>>>>>>
>>>>>>
>>>>>> --
>>>>>> SY, Dmitry Belyavsky
>>>>>>
>>>>>> _______________________________________________
>>>>>> openssl-users mailing list
>>>>>> openssl-users at openssl.org
>>>>>> https://mta.opensslfoundation.net/mailman/listinfo/openssl-users
>>>>>>
>>>>>>
>>>>>
>>>>> _______________________________________________
>>>>> openssl-users mailing list
>>>>> openssl-users at openssl.org
>>>>> https://mta.opensslfoundation.net/mailman/listinfo/openssl-users
>>>>>
>>>>>
>>>>
>>>>
>>>> --
>>>> SY, Dmitry Belyavsky
>>>>
>>>> _______________________________________________
>>>> openssl-users mailing list
>>>> openssl-users at openssl.org
>>>> https://mta.opensslfoundation.net/mailman/listinfo/openssl-users
>>>>
>>>>
>>>
>>
>> _______________________________________________
>> openssl-users mailing list
>> openssl-users at openssl.org
>> https://mta.opensslfoundation.net/mailman/listinfo/openssl-users
>>
>>
> _______________________________________________
> openssl-users mailing list
> openssl-users at openssl.org
> https://mta.opensslfoundation.net/mailman/listinfo/openssl-users
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://mta.opensslfoundation.net/pipermail/openssl-users/attachments/20141212/64b9f4d2/attachment.html>


More information about the openssl-users mailing list