[gnutls-dev] Re: ongoing entropy problems

Simon Josefsson jas at extundo.com
Wed Feb 1 13:05:34 CET 2006


Werner Koch <wk at gnupg.org> writes:

> On Tue, 31 Jan 2006 19:30:29 +0100, Andreas Metzler said:
>
>> For bug #2 /dev/urandom is used, therefore there is no blocking in
>
> Who is using /dev/urandom: Exim proper or gnutls/libgcrypt?
>
>> exim, just the fact that anything using /dev/random will block, as
>> there is no entropy left.
>
> For my understanding, will someone be so kind to answer these
> questions:
>
>  1. Does gnutls use GCRY_VERY_STRONG_RANDOM?

Yes, in gc_random() which is used by RAND_bytes in
libextra/gnutls_openssl.c.  Otherwise, no, as far as I can see.

Is exim using the OpenSSL compatibility interface?  Does it invoke
RAND_bytes?

GnuTLS calls gnutls_mpi_randomize in a few places, but only with
GCRY_STRONG_RANDOM.

>  2. Does gnutls save the random seed file?
>         gcry_control (GCRYCTL_SET_RANDOM_SEED_FILE, filename);
>       atexit:
>         gcry_control (GCRYCTL_UPDATE_RANDOM_SEED_FILE);

No.  Should it?  What should we use as the filename?

>  3. Does the problem only occur for inetd invoked exims?

I don't know.

Thanks.



More information about the Gnutls-dev mailing list