C Warning when creating an RSA key pair - random: uninitialized urandom read (32 bytes read)

Question

I am creating an RSA key pair with the following code (C and OpenSSL library):

void rsa_gen_keys_ca() {
    RSA *keypair = NULL;
    unsigned char *pub_key = NULL;
    BIGNUM *bne = NULL;
    unsigned long e = RSA_F4;
    int success = 0;

    bne = BN_new();
    success = BN_set_word(bne, e);
    if (!success) {
        errx(1, "\nrsa_gen_keys_ca failed at BN_set_word result.");
        goto free_all;
    }

    keypair = RSA_new();
    success = RSA_generate_key_ex(keypair, RSA_KEY_SIZE, bne, NULL);
    if (!success) {
        errx(1, "\nrsa_gen_keys_ca failed at RSA_generate_key_ex result.");
        goto free_all;
    }

    success = i2d_RSAPublicKey(keypair, &pub_key);
    if (success < 0) {
        errx(1, "\nrsa_gen_keys_ca failed at i2d_RSAPublicKey result.");
        goto free_all;
    }
    printf("==========RSA Public Key successfully extracted: %s", pub_key);

free_all:
    RSA_free(keypair);
    BN_free(bne);
}

When I run it, I am receiving the following warning:

random: uninitialized urandom read (32 bytes read)

I think leaving the code with this warning would be a security concern, since in the past I read something regarding the urandom generator.

Can anyone explain this warning and how to avoid it?

You can use `else` statements instead of `goto`. Everyone here will thank you — Tim Randall, Sep 10 '18 at 19:00
The `random` and `urandom` devices on a linux machine consume entropy (such as the movement of your mouse) in order to create psuedo-random numbers. However if you consume all the entropy that has been generated, and still need more random numbers, `random` will block until more entropy is generated. `urandom`, on the other hand, will fall-back to an algorithm to produce random numbers. This is likely a case where it goes to the fallback and is warning you that it is doing so. — Christian Gibbons, Sep 10 '18 at 19:04
@TimRandall Error handling is one of the accepted uses of `goto`. — Christian Gibbons, Sep 10 '18 at 19:05
@TimRandall , I recommend you the reading of [this text](https://eli.thegreenplace.net/2009/04/27/using-goto-for-error-handling-in-c) and [this question/answer at sof](https://stackoverflow.com/questions/788903/valid-use-of-goto-for-error-management-in-c). — Dalton Cézane, Sep 10 '18 at 19:20
Thank you for explanation,@Christian . So, this warning is not a security concern, is it? Do you suggest any change to my code related to this warning? — Dalton Cézane, Sep 10 '18 at 19:25
@DaltonCézane I wouldn't be confident in my knowledge of the subject to declare something critical as "secure enough". Try reading the manpage (`man 4 random`) and maybe it'll give you enough to make that decision from yourself. I will leave this excerpt, though: "*If you are unsure about whether you should use /dev/random or /dev/urandom, then probably you want to use the latter. As a general rule, /dev/urandom should be used for everything except long-lived GPG/SSL/SSH keys.*" — Christian Gibbons, Sep 10 '18 at 19:37
@ChristianGibbons: If the message were reporting that `urandom` is falling back to pseudo-random numbers, I would expect it to say that much more clearly, such as `urandom: entry depleted, falling back to pseudo-random generation`. I would not expect the message to include the word “uninitialized,” as that obviously implies something is uninitialized, which is a more serious problem than entropy depletion. Do you have any reference for your interpretation of this message? — Eric Postpischil, Sep 10 '18 at 21:37
@EricPostpischil I do not have any documentation to that effect, unfortunately, so I cannot be, at this time, 100% certain that it exactly what is happening (which is why i used the qualifier 'likely' to put in some amount of uncertainty). Searching the web for things related to uninitialized urandom almost all point to `systemd` using `urandom` before initializing its entropy. — Christian Gibbons, Sep 10 '18 at 22:11
Does your program call `RAND_status()` and/or `RAND_seed()` at some point before any other OpenSSL functions that use random numbers? — Shawn, Sep 10 '18 at 22:26
Also, where are you seeing this warning? OpenSSL doesn't normally print out warnings on its own and that doesn't look like an OpenSSL error string... — Shawn, Sep 10 '18 at 22:31
@Shawn I believe it is a kprint you can find in the kernel's `random.c` — Christian Gibbons, Sep 10 '18 at 22:39
The google suggests that this is *not* in fact a C warning but a message from the kernel warning that `urandom` is delivering bytes from the secure random device before it has been satisfactorily initialized. It may or may not be a problem but I wouldn't ignore it, especially for long-lived RSA keys. — President James K. Polk, Sep 10 '18 at 22:43
No, @Shawn . There is no such call in my code. I did not see this kind of information. I think this warning happens when the RSA key pair is created. If you know how to deal with it, please provide an answer in order I can mark it. — Dalton Cézane, Sep 11 '18 at 14:01

C Warning when creating an RSA key pair - random: uninitialized urandom read (32 bytes read)

0 Answers0