Question related to default RAND usage and update with engine RAND

Previous Topic Next Topic
 
classic Classic list List threaded Threaded
2 messages Options
Reply | Threaded
Open this post in threaded view
|

Question related to default RAND usage and update with engine RAND

Mahendra SP
Hi All,

We are planning to use our own RAND implementation using an engine. What we observe is, during Openssl init, default RAND gets initialized to openssl RAND.
Then later we initialize our engine RAND. Even though we make our RAND as default, we see that still openssl uses the initial default RAND.

Here is what could be happening. In the function RAND_get_rand_method,  default_RAND_meth gets initialized to openssl RAND. 
As there is a NULL check for  default_RAND_meth ,  default_RAND_meth  never gets updated as it is not NULL. 
Even if engine RAND is registered and available for use,  default_RAND_meth never gets updated.

Given the code snippet below.
const RAND_METHOD *RAND_get_rand_method(void)
{
    const RAND_METHOD *tmp_meth = NULL;

    if (!RUN_ONCE(&rand_init, do_rand_init))
        return NULL;

    CRYPTO_THREAD_write_lock(rand_meth_lock);
    if (default_RAND_meth == NULL) {
#ifndef OPENSSL_NO_ENGINE
        ENGINE *e;

        /* If we have an engine that can do RAND, use it. */
        if ((e = ENGINE_get_default_RAND()) != NULL
                && (tmp_meth = ENGINE_get_RAND(e)) != NULL) {
            funct_ref = e;
            default_RAND_meth = tmp_meth;
        } else {
            ENGINE_finish(e);
            default_RAND_meth = &rand_meth;
        }
#else
        default_RAND_meth = &rand_meth;
#endif
    }
    tmp_meth = default_RAND_meth;
    CRYPTO_THREAD_unlock(rand_meth_lock);
    return tmp_meth;
}

Should we remove the NULL check for default_RAND_meth to fix this issue ? Or is there any other way?

Thanks
Mahendra

Reply | Threaded
Open this post in threaded view
|

Re: Question related to default RAND usage and update with engine RAND

Dr Paul Dale
Have you tried RAND_set_rand_method()?

This should replace the RNG with yours.

In 3.0, there will be a different scheme and an engine isn’t the ideal way to go.


Pauli
-- 
Dr Paul Dale | Distinguished Architect | Cryptographic Foundations 
Phone +61 7 3031 7217
Oracle Australia




On 1 Dec 2020, at 1:02 am, Mahendra SP <[hidden email]> wrote:

Hi All,

We are planning to use our own RAND implementation using an engine. What we observe is, during Openssl init, default RAND gets initialized to openssl RAND.
Then later we initialize our engine RAND. Even though we make our RAND as default, we see that still openssl uses the initial default RAND.

Here is what could be happening. In the function RAND_get_rand_method,  default_RAND_meth gets initialized to openssl RAND. 
As there is a NULL check for  default_RAND_meth ,  default_RAND_meth  never gets updated as it is not NULL. 
Even if engine RAND is registered and available for use,  default_RAND_meth never gets updated.

Given the code snippet below.
const RAND_METHOD *RAND_get_rand_method(void)
{
    const RAND_METHOD *tmp_meth = NULL;

    if (!RUN_ONCE(&rand_init, do_rand_init))
        return NULL;

    CRYPTO_THREAD_write_lock(rand_meth_lock);
    if (default_RAND_meth == NULL) {
#ifndef OPENSSL_NO_ENGINE
        ENGINE *e;

        /* If we have an engine that can do RAND, use it. */
        if ((e = ENGINE_get_default_RAND()) != NULL
                && (tmp_meth = ENGINE_get_RAND(e)) != NULL) {
            funct_ref = e;
            default_RAND_meth = tmp_meth;
        } else {
            ENGINE_finish(e);
            default_RAND_meth = &rand_meth;
        }
#else
        default_RAND_meth = &rand_meth;
#endif
    }
    tmp_meth = default_RAND_meth;
    CRYPTO_THREAD_unlock(rand_meth_lock);
    return tmp_meth;
}

Should we remove the NULL check for default_RAND_meth to fix this issue ? Or is there any other way?

Thanks
Mahendra