[openssl-users] DH_generate_key Hangs
Jason Qian
jqian at tibco.com
Fri Oct 6 13:14:02 UTC 2017
Thanks Jeff,
The challenge is that, we are not directly calling RAND_poll(). We just
call *DH_generate_key* for DH key.
>From the following call stacks, you can see the RAND_poll() is triggered by
ssleay_rand_bytes.
libeay32d.dll!*RAND_poll*() Line 572 C
libeay32d.dll!ssleay_rand_bytes(unsigned char * buf=0x03318fe0, int
num=128, int pseudo=0) Line 395 C
libeay32d.dll!ssleay_rand_nopseudo_bytes(unsigned char * buf=0x03318fe0,
int num=128) Line 536 + 0xf bytes C
libeay32d.dll!RAND_bytes(unsigned char * buf=0x03318fe0, int num=128)
Line 164 + 0x10 bytes C
libeay32d.dll!bnrand(int pseudorand=0, bignum_st * rnd=0x03318518, int
bits=1023, int top=0, int bottom=0) Line 152 + 0xd bytes C
> libeay32d.dll!BN_rand(bignum_st * rnd=0x03318518, int bits=1023, int
top=0, int bottom=0) Line 213 + 0x17 bytes C
libeay32d.dll!generate_key(dh_st * dh=0x03316a88) Line 170 + 0x11 bytes C
libeay32d.dll!*DH_generate_key*(dh_st * dh=0x03316a88) Line 84 + 0xf
bytes C
Jason
On Thu, Oct 5, 2017 at 7:52 PM, Jeffrey Walton <noloader at gmail.com> wrote:
> >> You should avoid calls to RAND_poll altogether on Windows. Do so by
> >> explicitly seeding the random number generator yourself.
> >
> > As a starting point, try something like this:
> >
> > -----
> > static ENGINE *rdrand;
> >
> > void init_prng(void) {
> > /* Try to seed the PRNG with the Intel RDRAND on-chip PRNG */
> > OPENSSL_cpuid_setup();
> > ENGINE_load_rdrand();
> > rdrand = ENGINE_by_id("rdrand");
> > if (rdrand) {
> > int success = 0;
> > if (ENGINE_init(rdrand)) {
> > success = ENGINE_set_default(rdrand, ENGINE_METHOD_RAND);
> > }
> >
> > /***
> > Per OpenSSL wiki, call ENGINE_free here regardless of whether
> we're
> > successfully using rdrand. The "functional reference" to rdrand
> will
> > be released when we call ENGINE_finish.
> > ***/
> > ENGINE_free(rdrand);
> > if (! success) ENGINE_finish(rdrand), rdrand = NULL;
> > }
> >
> > if (!rdrand && !RAND_status()){
> > RAND_screen(); /* this isn't really emough entropy, but it's a
> start */
> > if (!RAND_status()) {
> > RAND_poll(); /* try to gather additional entropy */
> > }
> > }
> > }
> >
> > void terminate_engines(void) {
> > if (rdrand) ENGINE_finish(rdrand), rdrand = NULL;
> > /* similarly for any other engines you use */
> > ENGINE_cleanup();
> > }
> > -----
> >
> > Call init_prng after your OpenSSL initialization code (e.g. after
> calling OpenSSL_add_all_algorithms), and terminate_engines when you're done
> using OpenSSL (e.g. just before process exit).
> >
> > Note that this code uses RAND_screen if RDRAND isn't available.
> RAND_screen is really not a very good idea; it may be OK on workstations,
> but rarely provides much entropy on servers because they typically aren't
> doing much screen output. And if you still need entropy after the
> RAND_screen call, you'll end up in RAND_poll anyway. The alternative is to
> write your own code that harvests entropy from some source (or sources).
> >
> > Other people may have better suggestions.
>
> Headless servers without hw entropy sources are tough. In this case I
> use hedging. I've got some patches somewhere for 1.0.1, but they won't
> apply to 0.9.8.
>
> Also see:
>
> * When Good Randomness Goes Bad: Virtual Machine Reset Vulnerabilities
> and Hedging Deployed Cryptography,
> http://pages.cs.wisc.edu/~rist/papers/sslhedge.pdf
> * When Virtual is Harder than Real: Security Challenges in Virtual
> Machine Based Computing Environments,
> http://www.usenix.org/legacy/event/hotos05/final_papers/
> full_papers/garfinkel/garfinkel.pdf
>
> Jeff
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://mta.openssl.org/pipermail/openssl-users/attachments/20171006/b3f22343/attachment.html>
More information about the openssl-users
mailing list