Re: error retrieving entropy

Jakob Bohm Wed, 20 Mar 2013 12:19:52 -0700

(Note: You should have started a new thread, not buried your question
in an unrelated thread, e-mails contain hidden headers indicating if
the e-mail was created as a reply to another e-mail, and if so which
one, and many mail programs will group together related mails based
on this).


On 3/19/2013 9:15 PM, voryl wrote:

Hi

I have been using  openssl-fips-2.0.2 to call the the drbg random generator.
But getting the following errors:

1077246192:error:2D07406D:FIPS routines:FIPS_drbg_instantiate:error
retrieving entropy:fips_drbg_lib.c:286:
1077246192:error:2D07107B:FIPS routines:FIPS_drbg_generate:in error
state:fips_drbg_lib.c:459:

The code I did are as follows:

   if ( (urand = fopen ( "/dev/urandom", "r" )) == NULL ) {
     fprintf (stderr, "fopen /dev/urandom error." );
     free(cbuf);
     return 0;// failure
   }

   elements = fread ( cbuf, 16, 1, urand );
   if ( elements != 1 ) {
     fprintf (stderr, "fread error." );
     free(cbuf);
     return 0;
   }

   fclose ( urand );
   /* End initialize PRNG */
   DRBG_CTX *dctx;
   //dctx = FIPS_drbg_new(NID_aes_256_ctr, DRBG_FLAG_CTR_USE_DF);
   dctx = FIPS_drbg_new(NID_sha256, 0);

   if (!FIPS_drbg_instantiate(dctx, cbuf, 10))
   {
      ERR_load_crypto_strings();
      ERR_print_errors(BIO_new_fp(stderr,BIO_NOCLOSE));
   }

I don't think you are calling it right!

The code in crypto/rand/rand_lib.c calls it with a 32 byte"personalisation string", not a batch of entropy.


And anyway, I think 80 bits of entropy is obviously too
little for a 256 bit RNG, if this call was supposed to
be called with entropy at all.

   /*
   if (!FIPS_drbg_reseed(dctx, cbuf, 16)) {
      ERR_load_crypto_strings();
      ERR_print_errors(BIO_new_fp(stderr,BIO_NOCLOSE));
   }
   */

   // if (!FIPS_rand_bytes((unsigned char *)cbuf, arraylength)) {
   //   fprintf(stderr, "The PRNG is not seeded!\n");
   // }
   if (FIPS_drbg_generate(dctx, (unsigned char *)cbuf, arraylength, 0, cbuf,
16))
   {
      ERR_load_crypto_strings();
      ERR_print_errors(BIO_new_fp(stderr,BIO_NOCLOSE));
   }

Any ideas?

thanks much in advance.

voryl




Enjoy

Jakob
--
Jakob Bohm, CIO, Partner, WiseMo A/S.  http://www.wisemo.com
Transformervej 29, 2730 Herlev, Denmark.  Direct +45 31 13 16 10
This public discussion message is non-binding and may contain errors.
WiseMo - Remote Service Management for PCs, Phones and Embedded
______________________________________________________________________
OpenSSL Project                                 http://www.openssl.org
User Support Mailing List                    [email protected]
Automated List Manager                           [email protected]

Re: error retrieving entropy

Reply via email to