> Indeed, one workaround for your application would be to seed and reseed > the random generator manually using RAND_bytes(), ... Correction, I meant to say ".. using RAND_add()..." > -----Original Message----- > From: openssl-users <openssl-users-bounces@xxxxxxxxxxx> On Behalf Of Dr. Matthias St. Pierre > Sent: Tuesday, March 24, 2020 11:49 PM > To: Suvendhu Hansa <suvendhu@xxxxxxxxx>; openssl-users@xxxxxxxxxxx > Subject: RE: RAND SEED in vxworks6.9 > > Hi, > > > I am beginner in openssl and I am porting openSSL-1.1.1d in vxWorks-6.9. So > > as suggested I have defined "OPENSSL_RAND_SEED_NONE" flag, as for vxWorks > > 'none' is only supported but after doing so I am observing > > "rand_pool_entropy_available()" returns 0 which further leads to failure. > > I came across that while NONE is set then manual seed and re-seed is must > > for the applications depend on random generator. > > Indeed, OPENSSL_RAND_SEED_NONE is the default on platforms where OpenSSL > does not know how to obtain cryptographically strong randomness from a trusted > entropy source. This does not mean that no such source exists, but nobody has > implemented the get_entropy callback for that platform yet. > > > I am very confused and as not having any openSSL experience I am not able to > > understand what needs to be done to resolve this issue. > > > > In my project many applications are using openssl APIs, So do I need to call > > RAND_add() in all applications where some random generation is being done? > > or is there anything else I can do to provide the seeds? > > Indeed, one workaround for your application would be to seed and reseed > the random generator manually using RAND_bytes(), as it is explained in the > `RESEEDING` section of the RAND_DRBG(7) manual page (see [1]). > However, be warned that it notoriously hard to estimate the quality of a > random source (a.k.a "entropy") correctly, and that a normal application > developer with little knowledge of cryptography would end up with a fake > sense of security because he overestimated the quality of his random seed. > > A better solution would be to use a trusted random source provided by the > operating system or some system library and use it to implement the > get_entropy callbacks for the VxWorks platform. This could even become > part of the official OpenSSL distribution. (Since it's a new feature, it won't > be backported to 1.1.1, but you could patch your local OpenSSL instance > when the implementation is available). > > There was some discussion about a suitable random source for VxWorks > on GitHub in issue #7946 (see [1]), but unfortunately no pull request > emerged of it and the discussion has stalled some time ago. > > You could visit the issue's thread and try to contact Tobias Klotz > (by mentioning @klotzt-draeger in the thread) to find out what the > current state is. If he comes up with a pull request, I could assist with > reviewing it, but I can't implement it since I don't have access to the > VxWorks platform. > > Hope that helps, > > Regards, > Matthias > > > [1] https://www.openssl.org/docs/man1.1.1/man7/RAND_DRBG.html > [2] https://github.com/openssl/openssl/issues/7946 >
