Using RAND_status()

Jayme Mikko Ancla jaymemikko at gmail.com
Wed Feb 15 23:48:19 UTC 2023


Hi all,

Thanks for the replies.
I checked our original code and made sure that we use Default and Legacy
providers. (looks like I omitted it in my first email).
Some info:
OpenSSL Version: 3.0.5
Commands for building OpenSSL: *perl Configure VC-WIN32
--prefix=C:/openssl-3.0.5-debug-vc19 --debug*
Compiler used(for our program and OpenSSL build): *Visual Studio 2019*
Platform: *Windows 10 22H2 64bit*

Note that there is no problem with these sequences of code during *runtime*.
BUT, whenever we *enable *our memory leak detection software *PurifyPlus *then
run our program, RAND_status() encounters problems which then terminates
the program.












*[I] Message: TerminateProcess called with code 0x3        Call location
        TerminateProcess [C:\Windows\SysWOW64\KERNEL32.DLL]
common_message_window<wchar_t>
[.\minkernel\crts\ucrt\src\appcrt\misc\dbgrpt.cpp:432]            exit_err
   [<REPO>\main.c:521]            __scrt_common_main_seh
[d:\agent\_work\3\s\src\vctools\crt\vcstartup\src\startup\exe_common.inl:304]
          _aesni_cbc_encrypt
[C:\thirdparty\openssl\openssl-3.0.5-debug\openssl-3.0.5\crypto\aes\libcrypto-shlib-aesni-x86.obj]
          _aesni_set_encrypt_key
[C:\thirdparty\openssl\openssl-3.0.5-debug\openssl-3.0.5\crypto\aes\libcrypto-shlib-aesni-x86.obj]
          cipher_hw_aesni_initkey
[C:\thirdparty\openssl\openssl-3.0.5-debug\openssl-3.0.5\providers\implementations\ciphers\cipher_aes_hw_aesni.inc:37]
          cipher_generic_init_internal
[C:\thirdparty\openssl\openssl-3.0.5-debug\openssl-3.0.5\providers\implementations\ciphers\ciphercommon.c:218]
          ossl_cipher_generic_einit
[C:\thirdparty\openssl\openssl-3.0.5-debug\openssl-3.0.5\providers\implementations\ciphers\ciphercommon.c:228]
          evp_cipher_init_internal
[C:\thirdparty\openssl\openssl-3.0.5-debug\openssl-3.0.5\crypto\evp\evp_enc.c:218]*

The program terminates at *_aesni_cbc_encrypt*.
Are there some pointers we have to initialize or functions to call before
calling RAND_status()?
I also checked about *RAND_DRBG_set_reseed_defaults *but it seems already
removed from 3.0.0.

Regards,
Jayme

On Thu, Feb 16, 2023 at 3:46 AM Steffen Nurpmeso <steffen at sdaoden.eu> wrote:

> Tomas Mraz wrote in
>  <a73ba399390924cb0249146723d43babf485674d.camel at openssl.org>:
>
> (Resorting a bit)
>
>  |On Wed, 2023-02-15 at 12:00 +0800, Jayme Mikko Ancla wrote:
>  |> I would like to know if my use of RAND_status() like below is
>  |> correct:
>  ...
>  |>   if (RAND_status() != 1) {
>  |>     RAND_seed(rnd_seed, sizeof rnd_seed);
>  |>   }
>  ...
>  |I assume you're getting a failure. If so, it is because you did
>  |not load the default provider in addition to the legacy one.
>  |
>  |Otherwise your code is OK, although these days the RAND_seed() call
>
> Has this changed again?  I am now forced to set
>
>   (void)RAND_DRBG_set_reseed_defaults(0, 0, 0, 0); /* (does not fail here)
> */
>
> and especially i call anything in a loop as in
>
>   # if mx_HAVE_TLS != mx_TLS_IMPL_RESSL && !defined mx_XTLS_HAVE_RAND_FILE
>            n_err(_("TLS RAND_bytes(3ssl) failed (missing entropy?), "
>               "waiting a bit\n"));
>            /* Around ~Y2K+1 anything <= was a busy loop iirc, so give pad
> */
>            su_time_msleep(250, FAL0);
>            continue;
>   # endif
>
>  |should not be needed at all, the RNG should be seeded by itself unless
>  |there is something wrong with your build configuration of the OpenSSL
>  |or your OS is some awkward legacy one.
>
> Ah the OS!  "32 byte is enough"(, endlessly), said Jason Donenfeld.
> (Reseeded often, and pretty "nifty", imho.  Once i looked.)
>
> --steffen
> |
> |Der Kragenbaer,                The moon bear,
> |der holt sich munter           he cheerfully and one by one
> |einen nach dem anderen runter  wa.ks himself off
> |(By Robert Gernhardt)
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://mta.openssl.org/pipermail/openssl-users/attachments/20230216/9c53508d/attachment-0001.htm>


More information about the openssl-users mailing list