On embedded systems you must always consider where you can collect 'entropy' from. This is highly dependent on your hardware. Haven't worked with vxWorks before, but given your description, the generic rule for [embedded] systems applies here as well.
Feed OpenSSL 'sufficient' entropy using RAND_add(), either directly or indirectly (= other calls which call RAND_add()). When a dedicated [white] noise source is absent, the items listed below can each add a /few/ bits of entropy, which you should feed into the OpenSSL randomness pool; as a rule of thumb: feeding it more noise is better. Note that all these are [very] low entropy sources, so better collect data from as many as you can - feed all data to OpenSSL using RAND_add() (see the relevant OpenSSL manual page as well) - once OpenSSL has been fed sufficient 'entropy' this way, you can call random-using calls such as key generators (DH, RSA, ...). Possible source of entropy: - [battery backed] real-time clock registers - hardware counters (especially the ones not reset during a soft-reset) and any hardware registers which are not reset during soft-reset (or indetermined upon cold boot). - any ADCs on the board? You may add a cheap (and lousy) noise source to unused ones (zener diodes which operate in the 'knee', i.e. very small currents, possibly fed to a high-gain opamp) or keep them open-ended, then sample the analog signal for a while and feed the sample to OpenSSL - make sure the sample series isn't all the same value; this only works with highrez ADCs - ... other 'unpredictable' inputs (packet buffers in Ethernet chips - though those are VERY disputable 'chaos' sources). To get a bit of an idea, you may also have a look at the code in crypto/rand_win.c, which is Windows specific, but it nicely shows the idea and the proper execution of that idea. The bottom line is /not/ that you need egd (which is handy when you have it and it works), but that you need a sufficient amount of random data before you start using OpenSSL. Doesn't really matter how you get that data as long as you find enough of it and feed it to OpenSSL. On UNIXes, this collecting is generally mostly been taken care of by the OS already, but you always should check those sources anyhow, even if it's /dev/[u]random, egd or whatever. HTH, Ger On Wed, Sep 17, 2008 at 4:35 PM, vne <[EMAIL PROTECTED]> wrote: > > Hi, > I am using openSSL 0.9.7b on PPC604 vxWorks Board. > During initilization of OpenSSL with DHparam file, following flow is used: > pDHParamfp /* file pointer to dhparam.pem file */ > .. > dh = PEM_read_DHparams(pDHParamfp, sdf_co_null, Sdf_co_null, Sdf_co_null); > ..SSL_CTX_set_tmp_dh(pSslCtx, dh); > > from here I am getting the error message "PRNG not seeded". > This function calls the function 'generate_key' of OpenSSL and from here > 'BN_rand' returns failure with this error code. > > On reading the OpenSSL faq, found that the function 'RAND_egd()' needs to be > called before this. > I tried calling this function also but the problem remained the same because > this function does nothing for vxWorks. > > The same source code works fine on Pentium arch. on vxWorks. > > Pls suggest if this problem is encountered before. > > Thanks. > > > -- > View this message in context: > http://www.nabble.com/PRNG-not-seeded-problem-on-PPC604-%28vxWorks-5.5%29-tp19533511p19533511.html > Sent from the OpenSSL - User mailing list archive at Nabble.com. > > ______________________________________________________________________ > OpenSSL Project http://www.openssl.org > User Support Mailing List openssl-users@openssl.org > Automated List Manager [EMAIL PROTECTED] > -- Met vriendelijke groeten / Best regards, Ger Hobbelt -------------------------------------------------- web: http://www.hobbelt.com/ http://www.hebbut.net/ mail: [EMAIL PROTECTED] mobile: +31-6-11 120 978 -------------------------------------------------- ______________________________________________________________________ OpenSSL Project http://www.openssl.org User Support Mailing List openssl-users@openssl.org Automated List Manager [EMAIL PROTECTED]
