Use RDRAND in such a way that an internal reseed is performed

At least according to Intel's docs.

Closes #447

1 files changed, 22 insertions, 5 deletions

diff --git a/src/lib/entropy/rdrand/rdrand.cpp b/src/lib/entropy/rdrand/rdrand.cpp
index b8a74ce2f..e22227326 100644
--- a/src/lib/entropy/rdrand/rdrand.cpp
+++ b/src/lib/entropy/rdrand/rdrand.cpp
@@ -1,6 +1,6 @@
 /*
 * Entropy Source Using Intel's rdrand instruction
-* (C) 2012,2015 Jack Lloyd
+* (C) 2012,2015,2019 Jack Lloyd
 * (C) 2015 Daniel Neus
 *
 * Botan is released under the Simplified BSD License (see license.txt)
@@ -13,12 +13,29 @@ namespace Botan {
 
 size_t Intel_Rdrand::poll(RandomNumberGenerator& rng)
    {
-   if(BOTAN_ENTROPY_INTEL_RNG_POLLS > 0 && RDRAND_RNG::available())
+   /*
+   * Intel's documentation for RDRAND at
+   * https://software.intel.com/en-us/articles/intel-digital-random-number-generator-drng-software-implementation-guide
+   * claims that software can guarantee a reseed event by polling enough data:
+   * "There is an upper bound of 511 samples per seed in the implementation
+   * where samples are 128 bits in size and can provide two 64-bit random
+   * numbers each."
+   *
+   * By requesting 8192 bytes we are asking for 512 samples and thus are assured
+   * that at some point in producing the output, at least one reseed of the
+   * internal state will occur.
+   *
+   * The alternative approach is to "Iteratively execute 32 RDRAND invocations
+   * with a 10 us wait period per iteration." however in practice this proves to
+   * be about 20x slower, despite producing much less seed material.
+   */
+   const size_t RDRAND_POLL_BYTES = 8*1024;
+
+   if(RDRAND_RNG::available())
       {
       RDRAND_RNG rdrand_rng;
-      secure_vector<uint8_t> buf(4 * BOTAN_ENTROPY_INTEL_RNG_POLLS);
-
-      rdrand_rng.randomize(buf.data(), buf.size());
+      secure_vector<uint8_t> buf(RDRAND_POLL_BYTES);
+      rdrand_rng.randomize(&buf[0], buf.size());
       rng.add_entropy(buf.data(), buf.size());
       }