000025278 - Program hangs in C_InitializeCertC()

Document created by RSA Customer Support Employee on Jun 16, 2016Last modified by RSA Customer Support Employee on Apr 21, 2017
Version 2Show Document
  • View in full screen mode

Article Content

Article Number000025278
Applies ToRSA BSAFE Cert-C
UNIX
Linux
IssueProgram hangs in C_InitializeCertC()
Program hangs in C_InitializeCertC()

If the log provider is registered first, and then the default crypto service provider, the log file (rsacertc.log) will show any errors.  e.g.
  rsacsp.c(278) : E_OS_PLATFORM : platform-specific error (/dev/random: only 3 of 4 bytes read)

Resolution

The log shows that not enough bytes of entropy could be read from /dev/random.  You can use /dev/urandom instead.

You can set an environment variable called "DEVRANDOM" to "/dev/urandom".  From provider/crypto/rsa/rsacsp.c:

    /* enable the user to set an environment variable to change where
     * the automatically added entropy comes from - for example to
     * /dev/urandom rather than /dev/random
     */
    if (!init_done) {
      char *random_device=NULL;

      random_device = getenv("DEVRANDOM");
      if (random_device != NULL) {
        devRandom = random_device;
      }
    }


/dev/random blocks if there is not enough noise in the entropy pool, so you can use /dev/urandom instead.

From `man urandom`:

"When read, the /dev/random device will only return random bytes within the estimated number of bits of noise in the entropy pool. /dev/random should be suitable for uses that need very high quality randomness such as one-time pad or key generation. When the entropy pool is empty, reads from /dev/random will block until additional environmental noise is gathered.

When read, /dev/urandom device will return as many bytes as are requested."

Notes

To set an environment variable programmatically, you can call putenv().

For example:

  status = putenv("DEVRANDOM=/dev/urandom");


You can do this in your Cert-C application before you register the default crypto service provider.


Switching from /dev/random to /dev/urandom, does have security implications, since /dev/urandom returns bits that contain less entropy than those returned by /dev/random.  Cert-C uses the rsacsp.c provider to seed all of it's pseudo random operations.

If you modify the rsacsp.c provider, you can change the way it works to strengthen the entropy gathering process. For instance, you could have /dev/urandom return more bits. If the bits returned by /dev/urandom contain a relatively constant amount of entropy (this would need to be verified), then more seed bits would contain more entropy. Alternatively, you could use other sources of entropy. In rsacsp.c, RSA_UpdateRandomUnix() uses the addDevRandomEntropy() function (shown above) as only one of several entropy sources.  The relative security of any of these methods would need to be verified by someone other than RSA Support.

Legacy Article IDa39768

Attachments

    Outcomes