Alternate RAND_poll for XP/2003 Server/Vista

classic Classic list List threaded Threaded
14 messages Options
Reply | Threaded
Open this post in threaded view
|

Alternate RAND_poll for XP/2003 Server/Vista

Adrià Massanet

Hi all,

 

I’m using OpenSSL as a module in PHP (php_openssl), and I need to call the CGI page may times per second

 but the initialization process in RAND_poll is too slow.

 

I’m thinking to modify OpenSSL to use the rtlGenRandom call available in XP/2003 Server/Vista OSs

(see http://blogs.msdn.com/michael_howard/archive/2005/01/14/353379.aspx for comments on rtlGenRandom )

 

the new function likes:

 

 

int RAND_poll()

{

if_any_error_in_block_return_old_RAND_poll()

{

 

HMODULE hlib;

BOOLEAN (APIENTRY *rtlgenrandom)(void*, ULONG);

char buffer[1024];

int c;

 

hlib=(HMODULE)LoadLibrary("ADVAPI32.DLL");

tlgenrandom=(BOOLEAN (APIENTRY *)(void*,ULONG))GetProcAddress(hlib,"SystemFunction036");

for(c=0;c<1+(ENTROPY_NEEDED/sizeof(buffer));++c)

{

            rtlgenrandom(buffer,sizeof(buffer)):

            RAND_add(buffer,sizeof(buffer),sizeof(buffer));

}

 

            }

}

 

a bad idea? Any thing bad here?

 

Thanks in advance,

 

Adrià

 

 

Reply | Threaded
Open this post in threaded view
|

RE: Alternate RAND_poll for XP/2003 Server/Vista

Steven Reddie
That's an interesting blog article.  The 2nd comment is by the author and lists the entropy sources.  I recall there was discussion on this list quite some time ago where it was stated that OpenSSL wouldn't use only the CryptoAPI random number generator since Microsoft hadn't provided details of how the entropy was gathered.  Perhaps the information in that post provides enough detail to warrant dropping all of the heap walking guff that has been known to trip up OpenSSL on occasion.
 
Adria, RAND_poll already calls CryptGenRandom doesn't it?  You could probably just comment out all of the other code to get the same result.
 
Steven


From: [hidden email] [mailto:[hidden email]] On Behalf Of Adrià Massanet
Sent: Thursday, 1 December 2005 11:41 PM
To: [hidden email]
Subject: Alternate RAND_poll for XP/2003 Server/Vista

Hi all,

 

I’m using OpenSSL as a module in PHP (php_openssl), and I need to call the CGI page may times per second

 but the initialization process in RAND_poll is too slow.

 

I’m thinking to modify OpenSSL to use the rtlGenRandom call available in XP/2003 Server/Vista OSs

(see http://blogs.msdn.com/michael_howard/archive/2005/01/14/353379.aspx for comments on rtlGenRandom )

 

the new function likes:

 

 

int RAND_poll()

{

if_any_error_in_block_return_old_RAND_poll()

{

 

HMODULE hlib;

BOOLEAN (APIENTRY *rtlgenrandom)(void*, ULONG);

char buffer[1024];

int c;

 

hlib=(HMODULE)LoadLibrary("ADVAPI32.DLL");

tlgenrandom=(BOOLEAN (APIENTRY *)(void*,ULONG))GetProcAddress(hlib,"SystemFunction036");

for(c=0;c<1+(ENTROPY_NEEDED/sizeof(buffer));++c)

{

            rtlgenrandom(buffer,sizeof(buffer)):

            RAND_add(buffer,sizeof(buffer),sizeof(buffer));

}

 

            }

}

 

a bad idea? Any thing bad here?

 

Thanks in advance,

 

Adrià

 

 

Reply | Threaded
Open this post in threaded view
|

Re: Alternate RAND_poll for XP/2003 Server/Vista

Corinna Vinschen
On Dec  2 00:45, Steven Reddie wrote:

> That's an interesting blog article.  The 2nd comment is by the author and
> lists the entropy sources.  I recall there was discussion on this list quite
> some time ago where it was stated that OpenSSL wouldn't use only the
> CryptoAPI random number generator since Microsoft hadn't provided details of
> how the entropy was gathered.  Perhaps the information in that post provides
> enough detail to warrant dropping all of the heap walking guff that has been
> known to trip up OpenSSL on occasion.
>  
> Adria, RAND_poll already calls CryptGenRandom doesn't it?  You could
> probably just comment out all of the other code to get the same result.

I'm wondering about this anyway.  While the exact code of CryptGenRandom
isn't open source, MSDN has a quite extensive description how the random
numbers are generated by CryptGenRandom, see the Remarks section in
http://msdn.microsoft.com/library/default.asp?url=/library/en-us/seccrypto/security/cryptgenrandom.asp
which also talks about the entropy sources used.

Corinna

--
Corinna Vinschen
Cygwin Project Co-Leader
Red Hat, Inc.
______________________________________________________________________
OpenSSL Project                                 http://www.openssl.org
Development Mailing List                       [hidden email]
Automated List Manager                           [hidden email]
Reply | Threaded
Open this post in threaded view
|

RE: Alternate RAND_poll for XP/2003 Server/Vista

Adrià Massanet
In reply to this post by Steven Reddie

Well, rtlGenRandom is cryptographic-provider independent. So, I assume that this is the "Windows Way" to get a random data (but in the other hand MSDN page says that is not a standard call), instead CryptGenRandom that is crypto-provider dependent. Is possible that both results are equal in practice, but I think not in concept (too theory?) I'm thinking in rtlGenRandom like /dev/random, but possibly are not the same.

 

The problem here is that there's no way to get the advantage trusting in rtlGenRandom / CryptGenRandom. Perhaps this option must be compile-time or definable in runtime.

 

Adrià

 

 

-----Mensaje original-----
De: [hidden email] [mailto:[hidden email]] En nombre de Steven Reddie
Enviado el: jueves, 01 de diciembre de 2005 14:46
Para: [hidden email]
Asunto: RE: Alternate RAND_poll for XP/2003 Server/Vista

 

That's an interesting blog article.  The 2nd comment is by the author and lists the entropy sources.  I recall there was discussion on this list quite some time ago where it was stated that OpenSSL wouldn't use only the CryptoAPI random number generator since Microsoft hadn't provided details of how the entropy was gathered.  Perhaps the information in that post provides enough detail to warrant dropping all of the heap walking guff that has been known to trip up OpenSSL on occasion.

 

Adria, RAND_poll already calls CryptGenRandom doesn't it?  You could probably just comment out all of the other code to get the same result.

 

Steven

 


From: [hidden email] [mailto:[hidden email]] On Behalf Of Adrià Massanet
Sent:
Thursday, 1 December 2005 11:41 PM
To: [hidden email]
Subject: Alternate RAND_poll for XP/2003 Server/Vista

Hi all,

 

I’m using OpenSSL as a module in PHP (php_openssl), and I need to call the CGI page may times per second

 but the initialization process in RAND_poll is too slow.

 

I’m thinking to modify OpenSSL to use the rtlGenRandom call available in XP/2003 Server/Vista OSs

(see http://blogs.msdn.com/michael_howard/archive/2005/01/14/353379.aspx for comments on rtlGenRandom )

 

the new function likes:

 

 

int RAND_poll()

{

if_any_error_in_block_return_old_RAND_poll()

{

 

HMODULE hlib;

BOOLEAN (APIENTRY *rtlgenrandom)(void*, ULONG);

char buffer[1024];

int c;

 

hlib=(HMODULE)LoadLibrary("ADVAPI32.DLL");

tlgenrandom=(BOOLEAN (APIENTRY *)(void*,ULONG))GetProcAddress(hlib,"SystemFunction036");

for(c=0;c<1+(ENTROPY_NEEDED/sizeof(buffer));++c)

{

            rtlgenrandom(buffer,sizeof(buffer)):

            RAND_add(buffer,sizeof(buffer),sizeof(buffer));

}

 

            }

}

 

a bad idea? Any thing bad here?

 

Thanks in advance,

 

Adrià

 

 

Reply | Threaded
Open this post in threaded view
|

Re: Alternate RAND_poll for XP/2003 Server/Vista

Jack Lloyd
In reply to this post by Steven Reddie
On Fri, Dec 02, 2005 at 12:45:44AM +1100, Steven Reddie wrote:
> That's an interesting blog article.  The 2nd comment is by the author and
> lists the entropy sources.  I recall there was discussion on this list quite
> some time ago where it was stated that OpenSSL wouldn't use only the
> CryptoAPI random number generator since Microsoft hadn't provided details of
> how the entropy was gathered.  Perhaps the information in that post provides
> enough detail to warrant dropping all of the heap walking guff that has been
> known to trip up OpenSSL on occasion.

That wouldn't work if you still wish to support Windows systems prior to
XP/2003 - and I know for a fact that people are still deploying new code on NT4
right now, so that decision might be unpopular. That's not to say it is not the
right decision (personally I'd love to forget supporting Windows < XP/2K3, just
as I don't have to make sure my code works on RedHat 5.0 or HP-UX 9), but
certainly it will cause complaints.

Also, in theory, CryptGenRandom can be better than the new function, since,
*if* you have a alternate crypto provider (such as one that pulls in entropy
from the old i810 motherboard RNG, or an HSM, or whatever) you might get a
better entropy source. Now, the question is if that benefit is worth the
overhead and mess of dealing with CryptoAPI... I would tend to say it is not,
because so few people will actually have such special hardware/providers
installed. But it is worth considering.

-Jack
______________________________________________________________________
OpenSSL Project                                 http://www.openssl.org
Development Mailing List                       [hidden email]
Automated List Manager                           [hidden email]
Reply | Threaded
Open this post in threaded view
|

Re: Alternate RAND_poll for XP/2003 Server/Vista

Rick Jones-2
In reply to this post by Corinna Vinschen
Corinna Vinschen wrote:
> I'm wondering about this anyway.  While the exact code of CryptGenRandom
> isn't open source, MSDN has a quite extensive description how the random
> numbers are generated by CryptGenRandom, see the Remarks section in
> http://msdn.microsoft.com/library/default.asp?url=/library/en-us/seccrypto/security/cryptgenrandom.asp
> which also talks about the entropy sources used.

Being otherwise blissfully ignorant of things Windows, does this snippet from
the URL above:

"With Microsoft CSPs, CryptGenRandom uses the same random number generator used
by other security components."

imply that CryptGenRandom might be satisfied by code other than that from
Microsoft described in the URL above?

rick jones
______________________________________________________________________
OpenSSL Project                                 http://www.openssl.org
Development Mailing List                       [hidden email]
Automated List Manager                           [hidden email]
Reply | Threaded
Open this post in threaded view
|

Re: Alternate RAND_poll for XP/2003 Server/Vista

Corinna Vinschen
On Dec  1 12:43, Rick Jones wrote:

> Corinna Vinschen wrote:
> >I'm wondering about this anyway.  While the exact code of CryptGenRandom
> >isn't open source, MSDN has a quite extensive description how the random
> >numbers are generated by CryptGenRandom, see the Remarks section in
> >http://msdn.microsoft.com/library/default.asp?url=/library/en-us/seccrypto/security/cryptgenrandom.asp
> >which also talks about the entropy sources used.
>
> Being otherwise blissfully ignorant of things Windows, does this snippet
> from the URL above:
>
> "With Microsoft CSPs, CryptGenRandom uses the same random number generator
> used by other security components."
>
> imply that CryptGenRandom might be satisfied by code other than that from
> Microsoft described in the URL above?

You omited the next sentence:

"This allows numerous processes to contribute to a system-wide seed."

I understand this as "every process using one of the Microsoft CSPs
will internally access the same random number generator."  As if, say,
every process uses /dev/random on Linux.


Corinna

--
Corinna Vinschen
Cygwin Project Co-Leader
Red Hat, Inc.
______________________________________________________________________
OpenSSL Project                                 http://www.openssl.org
Development Mailing List                       [hidden email]
Automated List Manager                           [hidden email]
Reply | Threaded
Open this post in threaded view
|

RE: Alternate RAND_poll for XP/2003 Server/Vista

Steven Reddie
Two sentences after that one are these:

        "To form the seed for the random number generator, a calling
application supplies bits
        it might have-for instance, mouse or keyboard timing input-that are
then added to both
        the stored seed and various system data and user data such as the
process ID and thread ID,
        the system clock, the system time, the system counter, memory
status, free disk clusters,
        the hashed user environment block. This result is SHA-1 hashed, and
the output is used to seed
        an RC4 stream, which is then used as the random stream and used to
update the stored seed."

So although all processes access the same PRNG it seems that there is
provision to "mix it up" a little.

I imagine that an installed Cryptographic Provider could provide its own
PRNG and Windows could be configured to use that instead.

-----Original Message-----
From: [hidden email] [mailto:[hidden email]]
On Behalf Of Corinna Vinschen
Sent: Friday, 2 December 2005 7:59 AM
To: [hidden email]
Subject: Re: Alternate RAND_poll for XP/2003 Server/Vista

On Dec  1 12:43, Rick Jones wrote:

> Corinna Vinschen wrote:
> >I'm wondering about this anyway.  While the exact code of
> >CryptGenRandom isn't open source, MSDN has a quite extensive
> >description how the random numbers are generated by CryptGenRandom,
> >see the Remarks section in
> >http://msdn.microsoft.com/library/default.asp?url=/library/en-us/secc
> >rypto/security/cryptgenrandom.asp
> >which also talks about the entropy sources used.
>
> Being otherwise blissfully ignorant of things Windows, does this
> snippet from the URL above:
>
> "With Microsoft CSPs, CryptGenRandom uses the same random number
> generator used by other security components."
>
> imply that CryptGenRandom might be satisfied by code other than that
> from Microsoft described in the URL above?

You omited the next sentence:

"This allows numerous processes to contribute to a system-wide seed."

I understand this as "every process using one of the Microsoft CSPs will
internally access the same random number generator."  As if, say, every
process uses /dev/random on Linux.


Corinna

--
Corinna Vinschen
Cygwin Project Co-Leader
Red Hat, Inc.
______________________________________________________________________
OpenSSL Project                                 http://www.openssl.org
Development Mailing List                       [hidden email]
Automated List Manager                           [hidden email]

______________________________________________________________________
OpenSSL Project                                 http://www.openssl.org
Development Mailing List                       [hidden email]
Automated List Manager                           [hidden email]
Reply | Threaded
Open this post in threaded view
|

RE: Alternate RAND_poll for XP/2003 Server/Vista

Steven Reddie
In reply to this post by Jack Lloyd
CryptGenRandom is available on all Windows back to Windows 95.  RtlGenRandom
is only available since XP, however CryptGenRandom makes use of it.
Presumably RtlGenRandom has always been around, it's just never been
documented or made generally available until now.

Why is there a reluctance to deal with CryptoAPI?  I've used CryptGenRandom
in my own code and never had a problem with it.

Regards,

Steven

-----Original Message-----
From: [hidden email] [mailto:[hidden email]]
On Behalf Of Jack Lloyd
Sent: Friday, 2 December 2005 6:04 AM
To: [hidden email]
Subject: Re: Alternate RAND_poll for XP/2003 Server/Vista

On Fri, Dec 02, 2005 at 12:45:44AM +1100, Steven Reddie wrote:
> That's an interesting blog article.  The 2nd comment is by the author
> and lists the entropy sources.  I recall there was discussion on this
> list quite some time ago where it was stated that OpenSSL wouldn't use
> only the CryptoAPI random number generator since Microsoft hadn't
> provided details of how the entropy was gathered.  Perhaps the
> information in that post provides enough detail to warrant dropping
> all of the heap walking guff that has been known to trip up OpenSSL on
occasion.

That wouldn't work if you still wish to support Windows systems prior to
XP/2003 - and I know for a fact that people are still deploying new code on
NT4 right now, so that decision might be unpopular. That's not to say it is
not the right decision (personally I'd love to forget supporting Windows <
XP/2K3, just as I don't have to make sure my code works on RedHat 5.0 or
HP-UX 9), but certainly it will cause complaints.

Also, in theory, CryptGenRandom can be better than the new function, since,
*if* you have a alternate crypto provider (such as one that pulls in entropy
from the old i810 motherboard RNG, or an HSM, or whatever) you might get a
better entropy source. Now, the question is if that benefit is worth the
overhead and mess of dealing with CryptoAPI... I would tend to say it is
not, because so few people will actually have such special
hardware/providers installed. But it is worth considering.

-Jack
______________________________________________________________________
OpenSSL Project                                 http://www.openssl.org
Development Mailing List                       [hidden email]
Automated List Manager                           [hidden email]

______________________________________________________________________
OpenSSL Project                                 http://www.openssl.org
Development Mailing List                       [hidden email]
Automated List Manager                           [hidden email]
Reply | Threaded
Open this post in threaded view
|

Re: Alternate RAND_poll for XP/2003 Server/Vista

Corinna Vinschen
In reply to this post by Steven Reddie
On Dec  2 13:38, Steven Reddie wrote:

> Two sentences after that one are these:
>
> "To form the seed for the random number generator, a calling
> application supplies bits
> it might have-for instance, mouse or keyboard timing input-that are
> then added to both
> the stored seed and various system data and user data such as the
> process ID and thread ID,
> the system clock, the system time, the system counter, memory
> status, free disk clusters,
> the hashed user environment block. This result is SHA-1 hashed, and
> the output is used to seed
> an RC4 stream, which is then used as the random stream and used to
> update the stored seed."
>
> So although all processes access the same PRNG it seems that there is
> provision to "mix it up" a little.
>
> I imagine that an installed Cryptographic Provider could provide its own
> PRNG and Windows could be configured to use that instead.

If you install another CSP, you can use this CSP and this CSP in turn
can use another source for its cryptographic magic, including the
sources for its random number generator.  The above description is only
valid for the predefined CSPs as delivered by default by the OS[1].

If you decide to use CryptGenRandom, you also have to call
CryptAcquireContext[2].  This function gets the CSP as an argument.  If
you use NULL here, as the openssl library does, the CSP is the one set
as the user default CSP.  The user default CSP can be set by a call to
CryptSetProvider[3], and is then used as the default provider for this
user.  Every process started after this call gets the new CSP.  This
means, that the openssl library can not be sure to use the same CSP all
the time, or even a trustworthy one (for a given value of trust).

But, if you call CryptAcquireContext with one of the Microsoft
predefined CSPs, you can rely on the fact that the same random number
generator is used all the time and the description above describes how
the random numbers are generated then.  Whatever your trust level in
relation to Microsoft is, you know at least which CSP is used.

FWIW, the Cygwin implementation of /dev/random and /dev/urandom uses the
"Microsoft Base Cryptographic Provider 1.0", MS_DEF_PROV, so at least
it's using the same cryptographic source all the time.  Shouldn't a
fixed CSP be used for the native Windows random number generator in
crypt/rand/rand_win.c, too?


Corinna

[1] http://msdn.microsoft.com/library/default.asp?url=/library/en-us/seccrypto/security/cryptographic_provider_names.asp
[2] http://msdn.microsoft.com/library/default.asp?url=/library/en-us/seccrypto/security/cryptacquirecontext.asp
[3] http://msdn.microsoft.com/library/default.asp?url=/library/en-us/seccrypto/security/cryptsetprovider.asp

>
> -----Original Message-----
> From: [hidden email] [mailto:[hidden email]]
> On Behalf Of Corinna Vinschen
> Sent: Friday, 2 December 2005 7:59 AM
> To: [hidden email]
> Subject: Re: Alternate RAND_poll for XP/2003 Server/Vista
>
> On Dec  1 12:43, Rick Jones wrote:
> > Corinna Vinschen wrote:
> > >I'm wondering about this anyway.  While the exact code of
> > >CryptGenRandom isn't open source, MSDN has a quite extensive
> > >description how the random numbers are generated by CryptGenRandom,
> > >see the Remarks section in
> > >http://msdn.microsoft.com/library/default.asp?url=/library/en-us/secc
> > >rypto/security/cryptgenrandom.asp
> > >which also talks about the entropy sources used.
> >
> > Being otherwise blissfully ignorant of things Windows, does this
> > snippet from the URL above:
> >
> > "With Microsoft CSPs, CryptGenRandom uses the same random number
> > generator used by other security components."
> >
> > imply that CryptGenRandom might be satisfied by code other than that
> > from Microsoft described in the URL above?
>
> You omited the next sentence:
>
> "This allows numerous processes to contribute to a system-wide seed."
>
> I understand this as "every process using one of the Microsoft CSPs will
> internally access the same random number generator."  As if, say, every
> process uses /dev/random on Linux.
>
>
> Corinna

--
Corinna Vinschen
Cygwin Project Co-Leader
Red Hat, Inc.
______________________________________________________________________
OpenSSL Project                                 http://www.openssl.org
Development Mailing List                       [hidden email]
Automated List Manager                           [hidden email]
Reply | Threaded
Open this post in threaded view
|

Re: Alternate RAND_poll for XP/2003 Server/Vista

Jack Lloyd
In reply to this post by Steven Reddie
On Fri, Dec 02, 2005 at 01:44:49PM +1100, Steven Reddie wrote:
> CryptGenRandom is available on all Windows back to Windows 95.  RtlGenRandom
> is only available since XP, however CryptGenRandom makes use of it.
> Presumably RtlGenRandom has always been around, it's just never been
> documented or made generally available until now.

From what I can tell, up until recently the PRNG was embedded into CryptoAPI,
and could not be accessed without going through that. I would imagine that what
happened is that the PRNG implemented by CryptGenRandom was split off into its
own distinct chunk of code starting with XP. Keep in mind that right now it
doesn't even have an entry point - you have to get ahold of it dynamically
through a DLL load. It seems pretty obvious that RtlGenRandom was supposed to
just be used internally, with CryptoAPI being the primary interface. Probably
someone at Microsoft finally realized that it might be useful to get random
bits without having to pull all of CryptoAPI into the mix.

> Why is there a reluctance to deal with CryptoAPI?  I've used CryptGenRandom
> in my own code and never had a problem with it.

I don't have huge issues with it myself (in terms of entropy generation,
CryptGenRandom has been fairly painless compared to some other mechanisms), but
CryptoAPI is somewhat big, and there are various annoyances, such as the fact
that repeatedly initializing and shutting down CryptoAPI causes a large memory
leak on some older systems.

-J
______________________________________________________________________
OpenSSL Project                                 http://www.openssl.org
Development Mailing List                       [hidden email]
Automated List Manager                           [hidden email]
Reply | Threaded
Open this post in threaded view
|

RE: Alternate RAND_poll for XP/2003 Server/Vista

Steven Reddie
Hi Jack,

> I don't have huge issues with it myself (in terms of entropy generation,
CryptGenRandom
> has been fairly painless compared to some other mechanisms), but CryptoAPI
is somewhat
> big, and there are various annoyances, such as the fact that repeatedly
initializing and
> shutting down CryptoAPI causes a large memory leak on some older systems.

Can you elaborate on the situation where repeatedly initializing and
shutting down CryptoAPI causes a large memory leak, particularly why you
needed to do this.  I raised a similar issue where OpenSSL suffers such a
leak (though not large) and was told it was an unrealistic scenario.  I
couldn't think of a great example on the spot, but given the dynamic plugin
architecture of large apps it's something that I feel needs addressing.

Regards,

Steven

______________________________________________________________________
OpenSSL Project                                 http://www.openssl.org
Development Mailing List                       [hidden email]
Automated List Manager                           [hidden email]
Reply | Threaded
Open this post in threaded view
|

Re: Alternate RAND_poll for XP/2003 Server/Vista

Jack Lloyd
On Sat, Dec 03, 2005 at 10:25:19PM +1100, Steven Reddie wrote:

> Can you elaborate on the situation where repeatedly initializing and
> shutting down CryptoAPI causes a large memory leak,

See http://support.microsoft.com/default.aspx?scid=kb;en-us;258000

> particularly why you needed to do this.

It was simple more convenient and useful for me, in that I didn't have to
maintain state about Crypto API across entropy generation calls. Since
typically (in my code) CryptGenRandom will be called exactly once, at
application start up when the PRNG is seeded, there didn't seem to be much
reason to keep the whole thing around in memory throughout the application's
execution. It also made the code cleaner.

-Jack
______________________________________________________________________
OpenSSL Project                                 http://www.openssl.org
Development Mailing List                       [hidden email]
Automated List Manager                           [hidden email]
Reply | Threaded
Open this post in threaded view
|

Re: Alternate RAND_poll for XP/2003 Server/Vista

Andy Polyakov
In reply to this post by Adrià Massanet
> I’m using OpenSSL as a module in PHP (php_openssl), and I need to call
> the CGI page may times per second
>  but the initialization process in RAND_poll is too slow.
>
> I’m thinking to modify OpenSSL to use the rtlGenRandom call available in
> XP/2003 Server/Vista OSs
>
> (see http://blogs.msdn.com/michael_howard/archive/2005/01/14/353379.aspx 
> for comments on rtlGenRandom )

Does the above statements and posted code means that you can actually
confirm that you've verified that it's call to CryptGenRandom [or
CryptAcquireContext] that is holding RAND_poll back and not something
else? If not, then one should first figure out that, rather than jumping
at something they don't guarantee there is and even in clear text advise
to favor CryptGenRandom. Once it's done one should make an effort to
find a [more] legitimate way to optimize the "guilty" one.

As for CryptGenRandom and "RtlGenRandom" in more general sense. Registry
access tracing suggests that both calls maintain a shared 80-bit
Cryptography\RNG\Seed value in HKLM. How do unprivileged programs do it
is actually [smaller] mystery, because the key is not writable for
mortals [what I see is most likely kernel driver access accounted to my
user-land application]. But what appears alerting is that the key value
is publicly readable, meaning that adversary non-privileged application
can follow its changes. Is there evidence that this adversary
application can't deduce the random values obtained by application based
  on observed seed values? A.

______________________________________________________________________
OpenSSL Project                                 http://www.openssl.org
Development Mailing List                       [hidden email]
Automated List Manager                           [hidden email]