RE: openssl-users Digest, Vol 77, Issue 6

[Dr. Matthias St. Pierre]

> It isn't possible to do what you are wanting.  RAND_METHOD replaces the RNG 
> everywhere.  It cannot be done on a per thread process.

Well, technically it *is* possible. However, I'm still in doubt whether it is 
really necessary and should be done.

The following example assumes you are compiling for linux (or another unix-ish 
os) and using pthreads:
Assume that you recorded the thread id of your thread T1 (which you obtained 
from pthread_create())
in the static variable 'tid1'. Then you could take the code from [1] and modify 
it as follows:

```
static int my_rand_bytes(unsigned char *out, int count)
{
                int ret;

                if (pthread_equal(pthread_self(), tid1) {
                               // ... call your special RNG here
                } else {

                               RAND_DRBG *drbg = RAND_DRBG_get0_public();

                               if (drbg == NULL)
                                               return 0;

                               ret = RAND_DRBG_bytes(drbg, out, count);
                }

                return ret;
}
```

This is just a rough sketch, note that there are more RAND_METHODs to be 
considered [2].


Matthias



[1] 
https://github.com/openssl/openssl/blob/OpenSSL_1_1_1-stable/crypto/rand/drbg_lib.c#L958-L970
[2] 
https://github.com/openssl/openssl/blob/OpenSSL_1_1_1-stable/crypto/rand/drbg_lib.c#L1146-L1153




From: openssl-users <openssl-users-boun...@openssl.org> On Behalf Of Dr Paul 
Dale
Sent: Monday, April 5, 2021 3:18 AM
To: openssl-users@openssl.org
Subject: Re: openssl-users Digest, Vol 77, Issue 6

Vishwanath,

It isn't possible to do what you are wanting.  RAND_METHOD replaces the RNG 
everywhere.  It cannot be done on a per thread process.


Pauli
On 4/4/21 9:55 pm, Vishwanath Mahajanshetty wrote:
Hi Paul,

Thanks for your response. I understand the concern for good random numbers; but 
in this scenario when second thread calls SSL_CTX_new it is waiting forever in 
RAND_priv_bytes(). Looks like entropy functions defined by first (bind) thread 
are very specific for its own use case and can't be used by other treads.
So I am thinking of using default OpenSSL RAND_METHOD for second thread and 
keep first thread (bind) to use its own random number generators.

Please let me know how can I make one thread use default RAND_METHOD and keep 
other thread to use its own method. I have gone through RAND_bytes() and 
drbg_bytes() but not getting enough idea. It would be really helpful if you 
point out APIs which help me to achieve this requirement.

Thank You,
Vishwanath M

smime.p7s
Description: S/MIME cryptographic signature