1

Topic: Setting up wolfEngine to be used with OpenSSL

Hi all,

I have an existing application that uses OpenSSL and would like to use wolfEngine on top of it. I'm working on Mac OSX and have followed the instructions in https://github.com/wolfSSL/wolfEngine as well as watched the wolfEngine webinar at https://www.youtube.com/watch?v=ini0rKfk3mY. I ran

make check

successfully but aside from that, I'm not sure if installation of wolfEngine worked correctly, as I don't see any .so files in .libs/.

Assuming this is normal though and wolfEngine is correctly installed, what is the process of then using it as an engine for OpenSSL? I would like to perform the sanity check shown at 16:00 in the webinar but I'm not sure where the shared object resides after wolfEngine installation.

Thank you for any help!

Share

Re: Setting up wolfEngine to be used with OpenSSL

Hi,

On Mac, the extension will be .dylib rather than .so:

haydenroche@Haydens-MBP:~/wolfEngine$ ls .libs
total 488
-rwxr-xr-x  1 haydenroche  staff   37624 Nov 16 11:26 bench
-rwxr-xr-x  1 haydenroche  staff  203288 Nov 16 11:26 libwolfengine.1.dylib
lrwxr-xr-x  1 haydenroche  staff      21 Nov 16 11:26 libwolfengine.dylib -> libwolfengine.1.dylib
lrwxr-xr-x  1 haydenroche  staff      19 Nov 16 11:26 libwolfengine.la -> ../libwolfengine.la
-rw-r--r--  1 haydenroche  staff    1075 Nov 16 11:26 libwolfengine.lai

I just ran the same demo from the webinar on my Mac, and everything appears to work correctly. I recommend configuring wolfEngine with --enable-debug so that you can see wolfEngine's being used.

Let me know if you have any further issues!

Thanks,

Hayden Roche
wolfSSL Software Engineer

Share

3

Re: Setting up wolfEngine to be used with OpenSSL

Hey Hayden, thanks for the reply.

Things are working well now and we have wolfEngine working 2 separate ways with openssl.cnf and ENGINE_load_wolfengine() smile

Share

Re: Setting up wolfEngine to be used with OpenSSL

That's great to hear!

Share

5

Re: Setting up wolfEngine to be used with OpenSSL

Hi Hayden,

I have a couple questions about using wolfEngine from a config file.

I've set my /usr/local/ssl/openssl.cnf with the following:

openssl_conf = openssl_init

[ openssl_init ]
oid_section             = new_oids
engines = engine_section

[ engine_section ]
wolfSSL = wolfssl_section

[ wolfssl_section ]
engine_id = libwolfengine
dynamic_path = /usr/local/lib/engines-1.1/libwolfengine.dylib
init = 1
enable_debug = 1
default_algorithms = ALL

Now this appears to work on the command line, as when I run "openssl engine" it prints multiple lines regarding wolfEngine, and running "openssl aes" commands on the CL also indicates that wolfEngine is being used.

However, when running this code:

int main() {
    printf("Hello, World!\n");

    ENGINE *e;
    ENGINE_load_builtin_engines();
    e = ENGINE_by_id("libwolfengine");
    ENGINE_init(e);
    //ENGINE_set_default(e, ENGINE_METHOD_ALL); // so far wolfEngine only outputs logs if this is set

    //ENGINE_finish(e);
    //ENGINE_free(e);

    // print wolfEngine logs
    ENGINE_ctrl_cmd(e, "enable_debug", 1, NULL, NULL, 0);

    unsigned char buffer[128];
    if (1 != RAND_bytes(buffer, sizeof(buffer))) {
        fprintf(stderr, "error with RAND_bytes\n");
    }

    printf("Made it to end\n");
    
    return 0;
}

It doesn't indicate that wolfEngine is being used unless I uncomment "ENGINE_set_default". But my questions are:

1. Is there a way to use wolfEngine without calling any ENGINE functions? For example, if I called RAND_bytes in my code without using any ENGINE calls, it would use wolfEngine. I would like to be able to use my existing OpenSSL code and not have to add to it.
2. if yes to 1, how can I verify OpenSSL is delegating the function calls to wolfEngine?

Thank you smile

Share

6 (edited by hayden 2021-11-19 13:46:09)

Re: Setting up wolfEngine to be used with OpenSSL

Hi,

Your test program isn't actually using the configuration file you've written, I think. I've attached examples.tar.gz to this message. It contains an example of how to use wolfEngine with a config file and some documentation. Specifically, you're missing this

OPENSSL_init_crypto(OPENSSL_INIT_ADD_ALL_CIPHERS |
                    OPENSSL_INIT_ADD_ALL_DIGESTS |
                    OPENSSL_INIT_LOAD_CONFIG, NULL);

and you need to make sure the environment variable OPENSSL_CONF points to your config file. Please refer to the attached examples for more details.

As long as you've built wolfEngine with --enable-debug and you've got

enable_debug = 1
default_algorithms = ALL

in your config file, wolfEngine will be used for all algorithms it provides and debug messages should be printed to stderr, indicating that wolfEngine's being used. If you get the configuration file right, you won't need any of this

ENGINE *e;
ENGINE_load_builtin_engines();
e = ENGINE_by_id("libwolfengine");
ENGINE_init(e);
//ENGINE_set_default(e, ENGINE_METHOD_ALL); // so far wolfEngine only outputs logs if this is set

//ENGINE_finish(e);
//ENGINE_free(e);

// print wolfEngine logs
ENGINE_ctrl_cmd(e, "enable_debug", 1, NULL, NULL, 0);

Thanks!

Hayden

Post's attachments

examples.tar.gz 2.17 kb, 2 downloads since 2021-11-19 

You don't have the permssions to download the attachments of this post.

Share

7

Re: Setting up wolfEngine to be used with OpenSSL

Hey Hayden, thanks for the reply, the examples folder you linked was really helpful. The two C files you included are working as expected, which is also great. Just checking though, and maybe it is a bit too hopeful, is there any way to have OpenSSL default to using wolfEngine without writing any additional code, even without having to add

OPENSSL_init_crypto(OPENSSL_INIT_ADD_ALL_CIPHERS |
                    OPENSSL_INIT_ADD_ALL_DIGESTS |
                    OPENSSL_INIT_LOAD_CONFIG, NULL);

?

Share

Re: Setting up wolfEngine to be used with OpenSSL

Hi,

Does your application support using an OpenSSL configuration file already? If so, then no changes to the code are required. Just write the config file and point to it with OPENSSL_CONF. If it doesn't support a config file, then I don't see a way to get wolfEngine support without touching the source code.

Thanks,

Hayden

Share

9

Re: Setting up wolfEngine to be used with OpenSSL

Hey Hayden, thanks for the help so far.

I'm attempting to add wolfEngine to nginx, as you mentioned in the webinar that it's confirmed supported. I load libwolfengine dynamically in nginx/src/core/nginx.c's main() function and see wolfEngine logs when running nginx such as

...
wolfEngine Entering we_ec_cleanup
wolfEngine Leaving we_ec_cleanup, return 1
wolfEngine Entering we_digests
wolfEngine Leaving we_digests, return 1
wolfEngine Entering we_sha_init
Initializing wolfCrypt wc_HashAlg structure: 0x7f92be70a3d0
wolfEngine Leaving we_sha_init, return 1
wolfEngine Entering we_digest_update
wolfEngine Leaving we_digest_update, return 1
wolfEngine Entering we_digest_final
Message Digest
wolfEngine Leaving we_digest_final, return 1
wolfEngine Entering we_digest_cleanup
wolfEngine Leaving we_digest_cleanup, return 1
...

However, in nginx/src/event/ngx_event_accept.c's ngx_event_accept() function I don't see any wolfEngine debug logs. I've even explicitly added some RAND_bytes() calls that should trigger wolfEngine debug logs, but there's none. I also try loading libwolfengine in ngx_event_accept() the same way I did in main(), but despite ENGINE_by_id, ENGINE_init, ENGINE_set_default, and ENGINE_ctrl_cmd all returning 1 indicating a success, no debug logs are shown.

How can I verify wolfEngine is working properly for nginx, and why aren't wolfEngine debug logs showing up in the nginx event loop?

Share

10 (edited by hayden 2021-12-06 11:17:31)

Re: Setting up wolfEngine to be used with OpenSSL

am wrote:

However, in nginx/src/event/ngx_event_accept.c's ngx_event_accept() function I don't see any wolfEngine debug logs. I've even explicitly added some RAND_bytes() calls that should trigger wolfEngine debug logs, but there's none. I also try loading libwolfengine in ngx_event_accept() the same way I did in main(), but despite ENGINE_by_id, ENGINE_init, ENGINE_set_default, and ENGINE_ctrl_cmd all returning 1 indicating a success, no debug logs are shown.

I'm not familiar with all the details of how nginx is coded, but it's possible that the debug output is getting redirected somewhere (to a log file, or even to nowhere, e.g. using /dev/null).

am wrote:

How can I verify wolfEngine is working properly for nginx, and why aren't wolfEngine debug logs showing up in the nginx event loop?

Build wolfEngine with --enable-debug and then run nginx in the foreground under gdb. Set a breakpoint on we_rand_bytes, which is what should be called by RAND_bytes. If this function doesn't get hit, something's wrong and wolfEngine isn't being used.

Also note that you can change wolfEngine's logging behavior with wolfEngine_SetLoggingCb. In the callback you supply, you could have all wolfEngine logs go to a file, for example.

Thanks,

Hayden

Share