openssl-users Digest, Vol 77, Issue 6

Dr. Matthias St. Pierre Matthias.St.Pierre at ncp-e.com
Mon Apr 5 09:52:02 UTC 2021



> It isn't possible to do what you are wanting.  RAND_METHOD replaces the RNG everywhere.  It cannot be done on a per thread process.

Well, technically it *is* possible. However, I'm still in doubt whether it is really necessary and should be done.

The following example assumes you are compiling for linux (or another unix-ish os) and using pthreads:
Assume that you recorded the thread id of your thread T1 (which you obtained from pthread_create())
in the static variable 'tid1'. Then you could take the code from [1] and modify it as follows:

```
static int my_rand_bytes(unsigned char *out, int count)
{
                int ret;

                if (pthread_equal(pthread_self(), tid1) {
                               // ... call your special RNG here
                } else {

                               RAND_DRBG *drbg = RAND_DRBG_get0_public();

                               if (drbg == NULL)
                                               return 0;

                               ret = RAND_DRBG_bytes(drbg, out, count);
                }

                return ret;
}
```

This is just a rough sketch, note that there are more RAND_METHODs to be considered [2].


Matthias



[1] https://github.com/openssl/openssl/blob/OpenSSL_1_1_1-stable/crypto/rand/drbg_lib.c#L958-L970
[2] https://github.com/openssl/openssl/blob/OpenSSL_1_1_1-stable/crypto/rand/drbg_lib.c#L1146-L1153




From: openssl-users <openssl-users-bounces at openssl.org> On Behalf Of Dr Paul Dale
Sent: Monday, April 5, 2021 3:18 AM
To: openssl-users at openssl.org
Subject: Re: openssl-users Digest, Vol 77, Issue 6

Vishwanath,

It isn't possible to do what you are wanting.  RAND_METHOD replaces the RNG everywhere.  It cannot be done on a per thread process.


Pauli
On 4/4/21 9:55 pm, Vishwanath Mahajanshetty wrote:
Hi Paul,

Thanks for your response. I understand the concern for good random numbers; but in this scenario when second thread calls SSL_CTX_new it is waiting forever in RAND_priv_bytes(). Looks like entropy functions defined by first (bind) thread are very specific for its own use case and can't be used by other treads.
So I am thinking of using default OpenSSL RAND_METHOD for second thread and keep first thread (bind) to use its own random number generators.

Please let me know how can I make one thread use default RAND_METHOD and keep other thread to use its own method. I have gone through RAND_bytes() and drbg_bytes() but not getting enough idea. It would be really helpful if you point out APIs which help me to achieve this requirement.

Thank You,
Vishwanath M



-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://mta.openssl.org/pipermail/openssl-users/attachments/20210405/338cf492/attachment-0001.html>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/pkcs7-signature
Size: 7494 bytes
Desc: not available
URL: <https://mta.openssl.org/pipermail/openssl-users/attachments/20210405/338cf492/attachment-0001.bin>


More information about the openssl-users mailing list