Question related to default RAND usage and update with engine RAND

[Mahendra SP]

Hi All,

We are planning to use our own RAND implementation using an engine. What we
observe is, during Openssl init, default RAND gets initialized to openssl
RAND.
Then later we initialize our engine RAND. Even though we make our RAND as
default, we see that still openssl uses the initial default RAND.

Here is what could be happening. In the function RAND_get_rand_method,
default_RAND_meth gets initialized to openssl RAND.
As there is a NULL check for  default_RAND_meth ,  default_RAND_meth  never
gets updated as it is not NULL.
Even if engine RAND is registered and available for use,  default_RAND_meth
never gets updated.

Given the code snippet below.
const RAND_METHOD *RAND_get_rand_method(void)
{
    const RAND_METHOD *tmp_meth = NULL;

    if (!RUN_ONCE(&rand_init, do_rand_init))
        return NULL;

    CRYPTO_THREAD_write_lock(rand_meth_lock);
    if (default_RAND_meth == NULL) {
#ifndef OPENSSL_NO_ENGINE
        ENGINE *e;

        /* If we have an engine that can do RAND, use it. */
        if ((e = ENGINE_get_default_RAND()) != NULL
                && (tmp_meth = ENGINE_get_RAND(e)) != NULL) {
            funct_ref = e;
            default_RAND_meth = tmp_meth;
        } else {
            ENGINE_finish(e);
            default_RAND_meth = &rand_meth;
        }
#else
        default_RAND_meth = &rand_meth;
#endif
    }
    tmp_meth = default_RAND_meth;
    CRYPTO_THREAD_unlock(rand_meth_lock);
    return tmp_meth;
}

Should we remove the NULL check for default_RAND_meth to fix this issue ?
Or is there any other way?

Thanks
Mahendra
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://mta.openssl.org/pipermail/openssl-users/attachments/20201130/2283aa05/attachment.html>