s2n changing OpenSSL engine globally

[eliasdaler]

Describe the bug

Hello.
We're integrating the AWS SDK into our existing code base and noticed that RAND_poll started failing (returning 1) after Aws::InitAPI is called.
E.g.:

Aws::InitAPI(options);
printf("RAND_poll after InitAPI: %d\n", RAND_poll()); // 0, failure (returns 1 otherwise if InitAPI is not called)

After further investigation, I noticed that s2n was setting a custom random engine (here) which doesn't support "add" method which is why RAND_poll started failing: see the following line.

Is is possible to somehow stop s2n from doing replacing the global engine?

The only way options I see right now is to either use OpenSSL-FIPS (not an option for us, unfortunately) or disable the s2n usage completely. However, I've found that NO_ENCRYPTION/BYO_CRYPTO seems to be broken and I don't see any other way of disabling this behaviour.

Any further help will be appreciated.

Regression Issue

• Select this option if this issue appears to be a regression.

Expected Behavior

I expect aws-sdk-cpp to not change the OpenSSL engine globally.

Current Behavior

See the description above.

Reproduction Steps

#include <cstdio>
#include <aws/core/Aws.h>
#include <openssl/rand.h>

int main(int argc, char **argv) {
    Aws::SDKOptions options;
    options.loggingOptions.logLevel = Aws::Utils::Logging::LogLevel::Trace;

    printf("RAND_poll before InitAPI: %d\n", RAND_poll()); // 1 (success)
    Aws::InitAPI(options);
    printf("RAND_poll after InitAPI: %d\n", RAND_poll()); // 0 (failure)
}

Possible Solution

No response

Additional Information/Context

No response

AWS CPP SDK version used

1.11.490

Compiler and Version used

gcc (Ubuntu 11.4.0-1ubuntu1~22.04) 11.4.0

Operating System and version

Ubuntu 22.04

[sbiscigl]

Hey @eliasdaler ,

First and foremost thank you so much for the detailed investigation it really makes things a lot easier for us to action on.

Spoke with s2n about this and it looks like we are going to work to provide an option to disable replacing the rand engine. I cant say exactly when we will have it available but we are working at implementing it, will give you a update as we close to merging it.

[sbiscigl]

OK looks like this is fixed now and if you build the SDK with the option -DS2N_OVERRIDE_LIBCRYPTO_RAND_ENGINE=OFF it will work as expected i.e.

project structure:

~/sdk-usage-workspace ❯❯❯ tree -L 1
.
├── CMakeLists.txt
├── Dockerfile
├── main.cpp
└── replicate.sh

Dockerfile

FROM public.ecr.aws/amazonlinux/amazonlinux:2023
RUN yum groupinstall "Development Tools" -y
RUN yum install -y curl-devel openssl-devel ninja-build cmake3

# build and install SDK
RUN git clone --depth 1 --recurse-submodules https://github.com/aws/aws-sdk-cpp && \
    cd aws-sdk-cpp && \
    mkdir build && \
    cd build && \
    cmake -DBUILD_ONLY="core" \
      -DCMAKE_INSTALL_PREFIX=/sdk-install \
      -DS2N_OVERRIDE_LIBCRYPTO_RAND_ENGINE=OFF \
      -DAUTORUN_UNIT_TESTS=OFF .. && \
    cmake --build . && \
    cmake --install .

# Copy over and build
RUN mkdir sdk-example
COPY CMakeLists.txt /sdk-example/CMakeLists.txt
COPY main.cpp /sdk-example/main.cpp
RUN cd sdk-example &&\
    mkdir build &&\
    cd build &&\
    cmake -DCMAKE_PREFIX_PATH=/sdk-install .. && \
    cmake --build .

CMakeLists.txt

cmake_minimum_required(VERSION 3.13)
project(sdk_usage_workspace)
set(CMAKE_CXX_STANDARD 20)

# Find AWS SDK
find_package(AWSSDK REQUIRED COMPONENTS core)

# Find OpenSSL package
find_package(OpenSSL REQUIRED)

# Add executable
add_executable(${PROJECT_NAME} "main.cpp")

# Link libraries
target_link_libraries(${PROJECT_NAME} PRIVATE
    ${AWSSDK_LINK_LIBRARIES}
    OpenSSL::SSL
    OpenSSL::Crypto
)

# Include directories
target_include_directories(${PROJECT_NAME} PRIVATE ${OPENSSL_INCLUDE_DIR})

main.cpp

#include <aws/core/Aws.h>
#include <openssl/rand.h>

using namespace Aws;

auto main() -> int {
  SDKOptions options;
  options.loggingOptions.logLevel = Aws::Utils::Logging::LogLevel::Trace;
  std::cout << "RAND_poll before InitAPI: " << RAND_poll() << "\n";
  InitAPI(options);
  std::cout << "RAND_poll after InitAPI: " << RAND_poll() << "\n";
  ShutdownAPI(options);
  return 0;
}

replicate.sh

#!/bin/zsh

set -u

# build image
docker build -t test-image .

# run example
docker run --name test-image test-image /sdk-example/build/sdk_usage_workspace

if ./replicate.sh is run you should see

RAND_poll before InitAPI: 1
RAND_poll after InitAPI: 1

We are not making the behavior default per the request of s2n, and will add docs describing this behavior

[sbiscigl]

updated docs, should work as decsribed now if you provide the override, resolving, give a shout if you see anything else weird!