Regarding RAND_set_rand_method

Dr Paul Dale pauli at openssl.org
Fri Apr 2 06:51:28 UTC 2021


There isn't an easy a way to do what you want in 1.1.1. 
RAND_set_rand_method replaces the RNG for all of OpenSSL.  In theory 
your RAND_METHOD could detect which thread it is running in and do 
different things for each.  I'm not sure this is a good idea however.

Why aren't the random number from your first thread good enough for the 
second?  Good random numbers are just that - random.  It should be 
impossible to distinguish the two streams.

In OpenSSL 3.0 there are ways to achieve what you're wanting.


Pauli

On 2/4/21 4:24 pm, Vishwanath Mahajanshetty wrote:
>
> Hi,
>
> I have some doubts/questions on how to use methods (for ex: 
> RAND_set_rand_method) in multi threaded application which use OpenSSL. 
> In my application (running on OpenSSL 1.1.1d) there are two threads 
> which use OpenSSL, both threads perform very different operations. The 
> issue I am facing is as below:
>
> Thread T1 calls RAND_set_rand_method() and sets RAND_METHOD structure. 
> This is very specific to T1s use case. When thread T2 wants to create 
> SSL_CTX it calls SSL_CTX_new() which then calls RAND_priv_bytes(). I 
> am observing that the function RAND_priv_bytes() is calling the 
> function set by T1 by RAND_METHOD in RAND_set_rand_method().
>
> Essentially RAND_METHOD function set by thread T1 are getting called 
> by thread T2.
>
> *Q1: I want to know is there any way to avoid this problem? I want 
> thread T2 to call default RAND methods and avoid calling methods set 
> by thread T1. This is not only for RAND methods, but for any other 
> methods.*
>
> **
>
> Q2: Also, is it possible to run OpenSSL as separate instance per 
> thread (where each thread can do its own OpenSSL initialization) so 
> that they can avoid above mentioned problem?
>
> Thank you,
>
> Vishwanath M
>

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://mta.openssl.org/pipermail/openssl-users/attachments/20210402/58bcb71b/attachment.html>


More information about the openssl-users mailing list