Bug#475168: Bug #475168 is still present in libgcrypt11 1.4.5-2

Simon Josefsson simon at josefsson.org
Thu Sep 30 08:03:24 UTC 2010 

sacrificial-spam-address at horizon.com writes:

> certtool still makes 25 120-byte reads from /dev/urandom, fetching 3000
> bytes (14400 bits) when 32 (256 bits) is more than enough.

As far as I understand, this is an intentional libgcrypt design.  In any
case, it is an libgcrypt issue.

Btw, the current development version of GnuTLS is using GNU Nettle for
crypto instead of Libgcrypt, and it uses an internal Yarrow PRNG seeded
by smaller amounts of data from /dev/urandom.

/Simon

> To quote "man 4 random":
>
> 	"if any program reads  more than 256 bits (32 bytes) from the
> 	kernel random pool per invocation, or per reasonable reseed
> 	interval (not less than one minute), that should be taken as a
> 	sign that its cryptography is not skilfully implemented."
>
> read(3, "v\35\223\375<\352qTU\331\316:"..., 120) = 120
> read(3, "y\34\220\36\345\374\316k\3\331\351\307"..., 120) = 120
> read(3, "\214\272\17@:\304\35LT$\2763"..., 120) = 120
> read(3, "\6\357\224>N\353\0\322Ys\311\0"..., 120) = 120
> read(3, "\264\f%\242\266\232\300\375\340)\203w"..., 120) = 120
> read(3, "Df\203\313\321+\305^|\251r\325"..., 120) = 120
> read(3, "\340\323nN\357\233Y?l\26v\n"..., 120) = 120
> read(3, "\16H\355\344\347fD\343\207\3118j"..., 120) = 120
> read(3, "\312\333)~J\"\226\250f\255\353\3"..., 120) = 120
> read(3, "\23\232\0\310B\331\t\266b,\201\314"..., 120) = 120
> read(3, ")\367R8\312\257\377a\204\340\255\274"..., 120) = 120
> read(3, "\274K\32}h=-(\243S\273\22"..., 120) = 120
> read(3, "\236\32UT\3655\276}Zjm\200"..., 120) = 120
> read(3, "\1\322C5\323\251\260\35\204\215\377l"..., 120) = 120
> read(3, "rBZ\347\312\202\0311\326q\21\331"..., 120) = 120
> read(3, "6\376t\255\33L\246\352mI\326\316"..., 120) = 120
> read(3, "\346\207\3715g[!\201~\34f\220"..., 120) = 120
> read(3, "X\2418\210\3063\26\3001\335\362\215"..., 120) = 120
> read(3, "o\257\232\331\33\355K\354mZ\361b"..., 120) = 120
> read(3, "\223\331%t\357\10\2347z\364!\20"..., 120) = 120
> read(3, ":\233F\375D\356CR\373\320\35$"..., 120) = 120
> read(3, "\225j\354C\216\272\257\354\205\vF,"..., 120) = 120
> read(3, "9\357.WK\213\206m\0074\3161"..., 120) = 120
> read(3, "+\370(\7\311\210J\332\340\342\275\210"..., 120) = 120
> read(3, "\273S\215\333\362\274l\253\272R\300\272"..., 120) = 120
>
>
>
> --
> Pkg-gnutls-maint mailing list
> Pkg-gnutls-maint at lists.alioth.debian.org
> http://lists.alioth.debian.org/mailman/listinfo/pkg-gnutls-maint

More information about the Pkg-gnutls-maint mailing list