[gnutls-dev] bug in _gnutls_pkcs1_rsa_encrypt

Werner Koch wk at gnupg.org
Tue Aug 17 13:56:57 CEST 2004

On Mon, 16 Aug 2004 17:46:23 -0700, Robey Pointer said:

> and almost always only the 3rd byte is used.  This seems like a waste
> of the random pool, and my hunch is that the fetch of 3 random bytes
> was meant to go OUTSIDE the loop.

FWIW, here is how GnuPG does it:

    p = gcry_random_bytes_secure (i, GCRY_STRONG_RANDOM);
    /* replace zero bytes by new values */
    for(;;) {
	int j, k;
	byte *pp;

	/* count the zero bytes */
	for(j=k=0; j < i; j++ )
	    if( !p[j] )
	if( !k )
	    break; /* okay: no zero bytes */
	k += k/128; /* better get some more */
	pp = gcry_random_bytes_secure( k, GCRY_STRONG_RANDOM);
	for(j=0; j < i && k ; j++ )
	    if( !p[j] )
		p[j] = pp[--k];
	xfree (pp);

Libgcrypt also provides pkcs#1 handling.  The code above has not yet
been converted to this new Libgcrypt feature.



More information about the Gnutls-devel mailing list