select timout in crypto/rand/rand_unix.c

Fri, 28 Feb 2003 04:52:31 -0800 

openssl 0.9.7X uses select() in crypto/rand/rand_unix.c.

i think that the timeout value should be configurable.

we use the /dev/random device only to get very good
random numbers (no /dev/urandom and no egd stuff).
that can be done by using -DDEVRANDOM=\"/dev/random\"
-DDEVRANDOM_EGD=NULL config options.

that way it can happen that you have to wait several
seconds! for random bytes. it takes about 7sec to
get data on a sun blade 100 @ 500mhz after that
machine has been rebooted. (if the machine is running
you get the data much faster).

the default (0.9.7 and 0.9.7a) is to wait for
10msec ... way to short! i modified 
crypto/rand/rand_unix.c from 0.9.7a to have a
timeout of 15 sec:
===
diff -r -u -N openssl-0.9.7a.orig/crypto/rand/rand_unix.c 
openssl-0.9.7a/crypto/rand/rand_unix.c
--- openssl-0.9.7a.orig/crypto/rand/rand_unix.c Thu Nov 28 09:08:40 2002
+++ openssl-0.9.7a/crypto/rand/rand_unix.c      Fri Feb 28 11:41:25 2003
@@ -159,8 +159,8 @@
 #endif
                        )) >= 0)
                        {
-                       struct timeval t = { 0, 10*1000 }; /* Spend 10ms on
-                                                             each file. */
+                       struct timeval t = { 15, 0 }; /* Spend 15s on
+                                                        each file. */
                        int r;
                        fd_set fset;
 
@@ -185,11 +185,11 @@
                                   up here, otherwise, we will do
                                   this once again for the remaining
                                   time. */
-                               if (t.tv_usec == 10*1000)
-                                       t.tv_usec=0;
+                               if (t.tv_sec == 15)
+                                       t.tv_sec=0;
                                }
                        while ((r > 0 || (errno == EINTR || errno == EAGAIN))
-                               && t.tv_usec != 0 && n < ENTROPY_NEEDED);
+                               && t.tv_sec != 0 && n < ENTROPY_NEEDED);
 
                        close(fd);
                        }
===

this change should not affect openssl if you dont change
the config parameters and if you have /dev/urandom.
/dev/urandom is used first and so you should get random
numbers from that device very fast.
but if /dev/urandom does not exist and you use
/dev/srandom or
/var/run/egd-pool /dev/egd-pool /etc/egd-pool /etc/entropy
then you have to wait for that timeout several times.

maybe the order of the devices should be changed that the
least secure one (the fastest) goes first...
maybe the egd stuff should go first, then /dev/urandom and
then /dev/random.
i dont know about /dev/srandom -- just using solaris and linux...

hope this helps, niki
-- 
niki w. waibel - system administrator @ newlogic technologies ag
______________________________________________________________________
OpenSSL Project                                 http://www.openssl.org
Development Mailing List                       [EMAIL PROTECTED]
Automated List Manager                           [EMAIL PROTECTED]

Reply via email to