Bug#475168: Bug #475168 is still present in libgcrypt11 1.4.5-2

[Simon Josefsson]

sacrificial-spam-addr...@horizon.com writes:

> certtool still makes 25 120-byte reads from /dev/urandom, fetching 3000
> bytes (14400 bits) when 32 (256 bits) is more than enough.

As far as I understand, this is an intentional libgcrypt design.  In any
case, it is an libgcrypt issue.

Btw, the current development version of GnuTLS is using GNU Nettle for
crypto instead of Libgcrypt, and it uses an internal Yarrow PRNG seeded
by smaller amounts of data from /dev/urandom.

/Simon

> To quote "man 4 random":
>
>       "if any program reads  more than 256 bits (32 bytes) from the
>       kernel random pool per invocation, or per reasonable reseed
>       interval (not less than one minute), that should be taken as a
>       sign that its cryptography is not skilfully implemented."
>
> read(3, "v\35\223\375<\352qTU\331\316:"..., 120) = 120
> read(3, "y\34\220\36\345\374\316k\3\331\351\307"..., 120) = 120
> read(3, "\214\272\17@:\304\35LT$\2763"..., 120) = 120
> read(3, "\6\357\224>N\353\0\322Ys\311\0"..., 120) = 120
> read(3, "\264\f%\242\266\232\300\375\340)\203w"..., 120) = 120
> read(3, "Df\203\313\321+\305^|\251r\325"..., 120) = 120
> read(3, "\340\323nN\357\233Y?l\26v\n"..., 120) = 120
> read(3, "\16H\355\344\347fD\343\207\3118j"..., 120) = 120
> read(3, "\312\333)~J\"\226\250f\255\353\3"..., 120) = 120
> read(3, "\23\232\0\310B\331\t\266b,\201\314"..., 120) = 120
> read(3, ")\367R8\312\257\377a\204\340\255\274"..., 120) = 120
> read(3, "\274K\32}h=-(\243S\273\22"..., 120) = 120
> read(3, "\236\32UT\3655\276}Zjm\200"..., 120) = 120
> read(3, "\1\322C5\323\251\260\35\204\215\377l"..., 120) = 120
> read(3, "rBZ\347\312\202\0311\326q\21\331"..., 120) = 120
> read(3, "6\376t\255\33L\246\352mI\326\316"..., 120) = 120
> read(3, "\346\207\3715g[!\201~\34f\220"..., 120) = 120
> read(3, "X\2418\210\3063\26\3001\335\362\215"..., 120) = 120
> read(3, "o\257\232\331\33\355K\354mZ\361b"..., 120) = 120
> read(3, "\223\331%t\357\10\2347z\364!\20"..., 120) = 120
> read(3, ":\233F\375D\356CR\373\320\35$"..., 120) = 120
> read(3, "\225j\354C\216\272\257\354\205\vF,"..., 120) = 120
> read(3, "9\357.WK\213\206m\0074\3161"..., 120) = 120
> read(3, "+\370(\7\311\210J\332\340\342\275\210"..., 120) = 120
> read(3, "\273S\215\333\362\274l\253\272R\300\272"..., 120) = 120
>
>
>
> --
> Pkg-gnutls-maint mailing list
> pkg-gnutls-ma...@lists.alioth.debian.org
> http://lists.alioth.debian.org/mailman/listinfo/pkg-gnutls-maint



-- 
To UNSUBSCRIBE, email to debian-bugs-dist-requ...@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org