[email protected] writes:

> certtool still makes 25 120-byte reads from /dev/urandom, fetching 3000
> bytes (14400 bits) when 32 (256 bits) is more than enough.

As far as I understand, this is an intentional libgcrypt design.  In any
case, it is an libgcrypt issue.

Btw, the current development version of GnuTLS is using GNU Nettle for
crypto instead of Libgcrypt, and it uses an internal Yarrow PRNG seeded
by smaller amounts of data from /dev/urandom.

/Simon

> To quote "man 4 random":
>
>       "if any program reads  more than 256 bits (32 bytes) from the
>       kernel random pool per invocation, or per reasonable reseed
>       interval (not less than one minute), that should be taken as a
>       sign that its cryptography is not skilfully implemented."
>
> read(3, "v\35\223\375<\352qTU\331\316:"..., 120) = 120
> read(3, "y\34\220\36\345\374\316k\3\331\351\307"..., 120) = 120
> read(3, "\214\272\17@:\304\35LT$\2763"..., 120) = 120
> read(3, "\6\357\224>N\353\0\322Ys\311\0"..., 120) = 120
> read(3, "\264\f%\242\266\232\300\375\340)\203w"..., 120) = 120
> read(3, "Df\203\313\321+\305^|\251r\325"..., 120) = 120
> read(3, "\340\323nN\357\233Y?l\26v\n"..., 120) = 120
> read(3, "\16H\355\344\347fD\343\207\3118j"..., 120) = 120
> read(3, "\312\333)~J\"\226\250f\255\353\3"..., 120) = 120
> read(3, "\23\232\0\310B\331\t\266b,\201\314"..., 120) = 120
> read(3, ")\367R8\312\257\377a\204\340\255\274"..., 120) = 120
> read(3, "\274K\32}h=-(\243S\273\22"..., 120) = 120
> read(3, "\236\32UT\3655\276}Zjm\200"..., 120) = 120
> read(3, "\1\322C5\323\251\260\35\204\215\377l"..., 120) = 120
> read(3, "rBZ\347\312\202\0311\326q\21\331"..., 120) = 120
> read(3, "6\376t\255\33L\246\352mI\326\316"..., 120) = 120
> read(3, "\346\207\3715g[!\201~\34f\220"..., 120) = 120
> read(3, "X\2418\210\3063\26\3001\335\362\215"..., 120) = 120
> read(3, "o\257\232\331\33\355K\354mZ\361b"..., 120) = 120
> read(3, "\223\331%t\357\10\2347z\364!\20"..., 120) = 120
> read(3, ":\233F\375D\356CR\373\320\35$"..., 120) = 120
> read(3, "\225j\354C\216\272\257\354\205\vF,"..., 120) = 120
> read(3, "9\357.WK\213\206m\0074\3161"..., 120) = 120
> read(3, "+\370(\7\311\210J\332\340\342\275\210"..., 120) = 120
> read(3, "\273S\215\333\362\274l\253\272R\300\272"..., 120) = 120
>
>
>
> --
> Pkg-gnutls-maint mailing list
> [email protected]
> http://lists.alioth.debian.org/mailman/listinfo/pkg-gnutls-maint



-- 
To UNSUBSCRIBE, email to [email protected]
with a subject of "unsubscribe". Trouble? Contact [email protected]

Reply via email to