Question related to default RAND usage and update with engine RAND

Dr Paul Dale paul.dale at oracle.com
Sat Dec 5 01:13:38 UTC 2020


Have you tried RAND_set_rand_method()?

This should replace the RNG with yours.

In 3.0, there will be a different scheme and an engine isn’t the ideal way to go.


Pauli
-- 
Dr Paul Dale | Distinguished Architect | Cryptographic Foundations 
Phone +61 7 3031 7217
Oracle Australia




> On 1 Dec 2020, at 1:02 am, Mahendra SP <mahendra.sp at gmail.com> wrote:
> 
> Hi All,
> 
> We are planning to use our own RAND implementation using an engine. What we observe is, during Openssl init, default RAND gets initialized to openssl RAND.
> Then later we initialize our engine RAND. Even though we make our RAND as default, we see that still openssl uses the initial default RAND.
> 
> Here is what could be happening. In the function RAND_get_rand_method,  default_RAND_meth gets initialized to openssl RAND. 
> As there is a NULL check for  default_RAND_meth ,  default_RAND_meth  never gets updated as it is not NULL. 
> Even if engine RAND is registered and available for use,  default_RAND_meth never gets updated.
> 
> Given the code snippet below.
> const RAND_METHOD *RAND_get_rand_method(void)
> {
>     const RAND_METHOD *tmp_meth = NULL;
> 
>     if (!RUN_ONCE(&rand_init, do_rand_init))
>         return NULL;
> 
>     CRYPTO_THREAD_write_lock(rand_meth_lock);
>     if (default_RAND_meth == NULL) {
> #ifndef OPENSSL_NO_ENGINE
>         ENGINE *e;
> 
>         /* If we have an engine that can do RAND, use it. */
>         if ((e = ENGINE_get_default_RAND()) != NULL
>                 && (tmp_meth = ENGINE_get_RAND(e)) != NULL) {
>             funct_ref = e;
>             default_RAND_meth = tmp_meth;
>         } else {
>             ENGINE_finish(e);
>             default_RAND_meth = &rand_meth;
>         }
> #else
>         default_RAND_meth = &rand_meth;
> #endif
>     }
>     tmp_meth = default_RAND_meth;
>     CRYPTO_THREAD_unlock(rand_meth_lock);
>     return tmp_meth;
> }
> 
> Should we remove the NULL check for default_RAND_meth to fix this issue ? Or is there any other way?
> 
> Thanks
> Mahendra
> 

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://mta.openssl.org/pipermail/openssl-users/attachments/20201205/d5730465/attachment.html>


More information about the openssl-users mailing list