AWS RNDR Engine for OpenSSL

A Random Number Generation Engine for OpenSSL making use of the Arm instruction RNDR.

Build Requirements

CMake
OpenSSL Development files (ie openssl-devel/libssl-dev)
- The development files’ versions must match the version of OpenSSL which will run the engine.
C compiler
OpenSSL
Perl
Target Host of Arm 64 CPU

Test and Run Requirements

OpenSSL
Host running on Arm 64 CPU which has access to RNDR and RNDRRS instructions

Installation

Run once:

mkdir build
cd build
cmake ../

Quick Install

make
make install

Configuring Build

cmake ../

Run cmake --help for details regarding configuration options.

Some useful configuration options are:

  -DCMAKE_INSTALL_PREFIX=DIR    install library to specified directory prefix
  -DCMAKE_INSTALL_LIBDIR=DIR    install library to specified directory
  -DOPENSSL_ROOT_DIR=DIR        set destination for OpenSSL root directory
  -DCMAKE_C_FLAGS=FLAGS         set additional CFLAGS for compilation

Installing to a non-default engine location

Engine libraries (eng_rndr.so) are installed by default to ${CMAKE_INSTALL_LIBDIR} where ${CMAKE_INSTALL_LIBDIR} usually refers to /usr/local/lib/. This location can be overwritten in the configurations using -DCMAKE_INSTALL_PREFIX=DIR.

i.e. To install the engine library to /usr/lib/aarch64-linux-gnu/engines-1.1/

cmake -DCMAKE_INSTALL_PREFIX=/usr/lib/aarch64-linux-gnu/engines-1.1/ ../

### Make ``` make ``` Generated shared library files `libeng_rndr.so*` will be located in `./build`.

Testing

Verify that random number generation functions for the engine work.

make test ARGS="-V"

The output will generate test run messages.

Loading test...
Running 'sanity_check_rndr_bytes'...
Test succeeded
Running 'sanity_check_rndrrs_bytes'...
Test succeeded

Test the engine built successfully and can be installed

openssl engine -t -c src/.libs/libeng_rndr.so

This will generate the engines details and availability.

(eng_rndr) Arm RNDR engine
Loaded: (rndr) Arm RNDR engine
 [RAND]
     [ available ]

Test random number generating using the engine.

openssl rand -engine build/libeng_rndr.so -hex 10

This will display the randomly generated 10 hex numbers.

engine "rndr" set.
01c1269d93d9f01ebff4

Installation

Installation may require root privileges. To install, run:

make install

Environment Variable

Set export OPENSSL_ENGINES=INSTALLATION_DIR environment variable in shell startup files. This will allow openssl to find the RNDR engine.

If using OpenSSL 1.0.2, the engine will be called eng_rndr. If using OpenSSL 1.1.1 or above the engine will be called libeng_rndr.

Verify installation works openssl engine -t -c libeng_rndr

...
(rndr) Arm RNDR engine
 [RAND]
     [ available ]

Dynamic Engine Installation

After installing update openssl.cnf to contain the following.

openssl_conf = openssl_def

[openssl_def]
engines = engine_section

[engine_section]
eng_rndr = eng_rndr_section

[eng_rndr_section]
engine_id = libeng_rndr
dynamic_path = <PATH TO INSTALLED libeng_rndr.so>
init = 0

Verify installation works openssl engine -t -c

...
(rndr) Arm RNDR engine
 [RAND]
     [ available ]

Security

See CONTRIBUTING for more information.

License

This project is licensed under the Apache-2.0 License.