Question related to default RAND usage and update with engine RAND
Dr Paul Dale
paul.dale at oracle.com
Sat Dec 5 01:13:38 UTC 2020
Have you tried RAND_set_rand_method()?
This should replace the RNG with yours.
In 3.0, there will be a different scheme and an engine isn’t the ideal way to go.
Pauli
--
Dr Paul Dale | Distinguished Architect | Cryptographic Foundations
Phone +61 7 3031 7217
Oracle Australia
> On 1 Dec 2020, at 1:02 am, Mahendra SP <mahendra.sp at gmail.com> wrote:
>
> Hi All,
>
> We are planning to use our own RAND implementation using an engine. What we observe is, during Openssl init, default RAND gets initialized to openssl RAND.
> Then later we initialize our engine RAND. Even though we make our RAND as default, we see that still openssl uses the initial default RAND.
>
> Here is what could be happening. In the function RAND_get_rand_method, default_RAND_meth gets initialized to openssl RAND.
> As there is a NULL check for default_RAND_meth , default_RAND_meth never gets updated as it is not NULL.
> Even if engine RAND is registered and available for use, default_RAND_meth never gets updated.
>
> Given the code snippet below.
> const RAND_METHOD *RAND_get_rand_method(void)
> {
> const RAND_METHOD *tmp_meth = NULL;
>
> if (!RUN_ONCE(&rand_init, do_rand_init))
> return NULL;
>
> CRYPTO_THREAD_write_lock(rand_meth_lock);
> if (default_RAND_meth == NULL) {
> #ifndef OPENSSL_NO_ENGINE
> ENGINE *e;
>
> /* If we have an engine that can do RAND, use it. */
> if ((e = ENGINE_get_default_RAND()) != NULL
> && (tmp_meth = ENGINE_get_RAND(e)) != NULL) {
> funct_ref = e;
> default_RAND_meth = tmp_meth;
> } else {
> ENGINE_finish(e);
> default_RAND_meth = &rand_meth;
> }
> #else
> default_RAND_meth = &rand_meth;
> #endif
> }
> tmp_meth = default_RAND_meth;
> CRYPTO_THREAD_unlock(rand_meth_lock);
> return tmp_meth;
> }
>
> Should we remove the NULL check for default_RAND_meth to fix this issue ? Or is there any other way?
>
> Thanks
> Mahendra
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://mta.openssl.org/pipermail/openssl-users/attachments/20201205/d5730465/attachment.html>
More information about the openssl-users
mailing list