RE: openssl-users Digest, Vol 77, Issue 6

["Dr. Matthias St. Pierre" <Matthias.St.Pierre@xxxxxxxxx>]

 

> It isn't possible to do what you are wanting.  RAND_METHOD replaces the RNG everywhere.  It cannot be done on a per thread process.

Well, technically it *is* possible. However, I’m still in doubt whether it is really necessary and should be done.

 

The following example assumes you are compiling for linux (or another unix-ish os) and using pthreads:

Assume that you recorded the thread id of your thread T1 (which you obtained from pthread_create())

in the static variable ‘tid1’. Then you could take the code from [1] and modify it as follows:

 

```

static int my_rand_bytes(unsigned char *out, int count)

{

                int ret;

               

                if (pthread_equal(pthread_self(), tid1) {

                               // ... call your special RNG here

                } else {

               

                               RAND_DRBG *drbg = RAND_DRBG_get0_public();

 

                               if (drbg == NULL)

                                               return 0;

 

                               ret = RAND_DRBG_bytes(drbg, out, count);

                }

 

                return ret;

}

```

 

This is just a rough sketch, note that there are more RAND_METHODs to be considered [2].

 

 

Matthias

 

 

 

[1] https://github.com/openssl/openssl/blob/OpenSSL_1_1_1-stable/crypto/rand/drbg_lib.c#L958-L970

[2] https://github.com/openssl/openssl/blob/OpenSSL_1_1_1-stable/crypto/rand/drbg_lib.c#L1146-L1153

 

 

 

 

From: openssl-users <openssl-users-bounces@xxxxxxxxxxx> On Behalf Of Dr Paul Dale
Sent: Monday, April 5, 2021 3:18 AM
To: openssl-users@xxxxxxxxxxx
Subject: Re: openssl-users Digest, Vol 77, Issue 6

 

Vishwanath,

It isn't possible to do what you are wanting.  RAND_METHOD replaces the RNG everywhere.  It cannot be done on a per thread process.


Pauli

On 4/4/21 9:55 pm, Vishwanath Mahajanshetty wrote:

Hi Paul,

 

Thanks for your response. I understand the concern for good random numbers; but in this scenario when second thread calls SSL_CTX_new it is waiting forever in RAND_priv_bytes(). Looks like entropy functions defined by first (bind) thread are very specific for its own use case and can’t be used by other treads.

So I am thinking of using default OpenSSL RAND_METHOD for second thread and keep first thread (bind) to use its own random number generators.

 

Please let me know how can I make one thread use default RAND_METHOD and keep other thread to use its own method. I have gone through RAND_bytes() and drbg_bytes() but not getting enough idea. It would be really helpful if you point out APIs which help me to achieve this requirement.

 

Thank You,

Vishwanath M

 

 

 

 

Attachment: smime.p7s
Description: S/MIME cryptographic signature