Werner Koch wk at gnupg.org
Fri Aug 7 09:13:57 CEST 2015

On Thu,  6 Aug 2015 22:54, dar.linux at free.fr said:

> Sometimes when the cipher is blowfish, I get libgcrypt reporting such
> random password as weak...

gpg create a session key this way:

    gcry_randomize (dek->key, dek->keylen, GCRY_STRONG_RANDOM );
    for (i=0; i < 16; i++ )
	rc = gcry_cipher_setkey (chd, dek->key, dek->keylen);
	if (!rc)
	    gcry_cipher_close (chd);
        if (gpg_err_code (rc) != GPG_ERR_WEAK_KEY)
	log_info(_("weak key created - retrying\n") );
	/* Renew the session key until we get a non-weak key. */
	gcry_randomize (dek->key, dek->keylen, GCRY_STRONG_RANDOM);
    log_fatal (_("cannot avoid weak key for symmetric cipher; "
                 "tried %d times!\n"), i);

To test that code I had to use a modified version of libgcrypt.  I never
noticed one of the messages on a real system.



Die Gedanken sind frei.  Ausnahmen regelt ein Bundesgesetz.

More information about the Gcrypt-devel mailing list