[gnutls-dev] Feature request: not really random session keys

Florian Weimer fw at deneb.enyo.de
Mon Jan 30 17:26:00 CET 2006


* Werner Koch:

> On Mon, 30 Jan 2006 14:18:43 +0100, Florian Weimer said:
>
>> Why not fix /dev/random instead, and add the functionality which is
>> missing there?  With all the trouble with threading, forking, and so
>> on, it might make sense to put this into the kernel.
>
> Sure.  That was orginally Ted Tso's plan but he could not get a solid
> RNG into the kernel because the kernel hackers required to amke
> /dev/random optional and Ted's plan was to have a solid RNG in the
> kernel as a standard service.

/dev/random is no longer optional, it's needed by the network stack
(to generate random keys for internal hash functions, for instance, or
for the secret which is used to compute SYN cookies).

Some changes are still desirable, though.  Someone needs to review the
entropy sources and verify that the estimates are correct.  It would
be a good idea to incorporate a few of Peter Gutmann's suggestions, I
think.  (I'll see what I can do about this, but this particular issue
has been on my to-do list for four or five years. 8-/)

> Some OSes don't have a /dev/random or worse a predictable one (some OS X).
> Thus we need to do it on our own to be portable.

Then you need a special daemon.  However, I would like to avoid the
additional administrative overhead on systems where the kernel can be
fixed.




More information about the Gnutls-devel mailing list