Bug#448775: Uses too much entropy (Debian Bug #343085)

Simon Josefsson simon at josefsson.org
Fri Jan 4 15:16:57 CET 2008


Werner Koch <wk at gnupg.org> writes:

> On Fri,  4 Jan 2008 13:41, simon at josefsson.org said:
>
>> We could consider doing something like that in gnutls too, to help
>> applications avoid having to do it themselves.  However, the
>> documentation on UPDATE_SEED seems somewhat discouraging.  I'm not sure
>
> Let's say this description is very conservative and mostly written for
> security evaluations.  The "up to 16 bytes of weak random " is not even
> correct for Linux because there we will always read 16 bytes from
> /dev/urandom and thus the whole theoretical attack won't work.  I'll
> revise the description a bit.

Ok.  Still, my main question is whether GnuTLS could utilize these hooks
somehow.  I guess we could have two functions:

int
gnutls_set_random_seed_file (const char *filename);
int
gnutls_update_random_seed ();

The first function would have to be called before gnutls_global_init().
Then exim could invoke the function, to avoid having to call libgcrypt
directly.

However, when is it useful for an application to save the seed?  Is it
useful to do this often, or only when the process exits?

Isn't it more reliable to never save the seed file, but to have a cron
job to generate a new seed file that can be run every other week or so?

Maybe the gnutls_update_random_seed function isn't needed.

There is also the problem if something other than gnutls has already
initialized libgcrypt.  This could happen if exim links to some other
library that uses libgcrypt, for example, a LDAP or database library,
which gets initialized before.  I'm not sure what we can do about this
situation.  I also dislike global functions like this.

/Simon



More information about the Gcrypt-devel mailing list