Thanks Jeff,
The challenge is that, we are not directly calling RAND_poll(). We just call DH_generate_key for DH key.
From the following call stacks, you can see the RAND_poll() is triggered by ssleay_rand_bytes.
libeay32d.dll!RAND_poll() Line 572 C
libeay32d.dll!ssleay_rand_bytes(unsigned char * buf=0x03318fe0, int num=128, int pseudo=0) Line 395 C
libeay32d.dll!ssleay_rand_nopseudo_bytes(unsigned char * buf=0x03318fe0, int num=128) Line 536 + 0xf bytes C
libeay32d.dll!RAND_bytes(unsigned char * buf=0x03318fe0, int num=128) Line 164 + 0x10 bytes C
libeay32d.dll!bnrand(int pseudorand=0, bignum_st * rnd=0x03318518, int bits=1023, int top=0, int bottom=0) Line 152 + 0xd bytes C
> libeay32d.dll!BN_rand(bignum_st * rnd=0x03318518, int bits=1023, int top=0, int bottom=0) Line 213 + 0x17 bytes C
libeay32d.dll!generate_key(dh_st * dh=0x03316a88) Line 170 + 0x11 bytes C
libeay32d.dll!DH_generate_key(dh_st * dh=0x03316a88) Line 84 + 0xf bytes C
Jason
On Thu, Oct 5, 2017 at 7:52 PM, Jeffrey Walton <noloader@xxxxxxxxx> wrote:
>> You should avoid calls to RAND_poll altogether on Windows. Do so by
>> explicitly seeding the random number generator yourself.
>
> As a starting point, try something like this:
>
> -----
> static ENGINE *rdrand;
>
> void init_prng(void) {
> /* Try to seed the PRNG with the Intel RDRAND on-chip PRNG */
> OPENSSL_cpuid_setup();
> ENGINE_load_rdrand();
> rdrand = ENGINE_by_id("rdrand");
> if (rdrand) {
> int success = 0;
> if (ENGINE_init(rdrand)) {
> success = ENGINE_set_default(rdrand, ENGINE_METHOD_RAND);
> }
>
> /***
> Per OpenSSL wiki, call ENGINE_free here regardless of whether we're
> successfully using rdrand. The "functional reference" to rdrand will
> be released when we call ENGINE_finish.
> ***/
> ENGINE_free(rdrand);
> if (! success) ENGINE_finish(rdrand), rdrand = NULL;
> }
>
> if (!rdrand && !RAND_status()){
> RAND_screen(); /* this isn't really emough entropy, but it's a start */
> if (!RAND_status()) {
> RAND_poll(); /* try to gather additional entropy */
> }
> }
> }
>
> void terminate_engines(void) {
> if (rdrand) ENGINE_finish(rdrand), rdrand = NULL;
> /* similarly for any other engines you use */
> ENGINE_cleanup();
> }
> -----
>
> Call init_prng after your OpenSSL initialization code (e.g. after calling OpenSSL_add_all_algorithms), and terminate_engines when you're done using OpenSSL (e.g. just before process exit).
>
> Note that this code uses RAND_screen if RDRAND isn't available. RAND_screen is really not a very good idea; it may be OK on workstations, but rarely provides much entropy on servers because they typically aren't doing much screen output. And if you still need entropy after the RAND_screen call, you'll end up in RAND_poll anyway. The alternative is to write your own code that harvests entropy from some source (or sources).
>
> Other people may have better suggestions.
Headless servers without hw entropy sources are tough. In this case I
use hedging. I've got some patches somewhere for 1.0.1, but they won't
apply to 0.9.8.
Also see:
* When Good Randomness Goes Bad: Virtual Machine Reset Vulnerabilities
and Hedging Deployed Cryptography,
http://pages.cs.wisc.edu/~rist/papers/sslhedge.pdf
* When Virtual is Harder than Real: Security Challenges in Virtual
Machine Based Computing Environments,
http://www.usenix.org/legacy/event/hotos05/final_papers/ full_papers/garfinkel/ garfinkel.pdf
Jeff
-- openssl-users mailing list To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users
