[gnutls-dev] Re: ongoing entropy problems

Nikos Mavrogiannopoulos n.mavrogiannopoulos at gmail.com
Wed Feb 1 13:14:06 CET 2006


On 2/1/06, Simon Josefsson <jas at extundo.com> wrote:

> >  1. Does gnutls use GCRY_VERY_STRONG_RANDOM?
> Yes, in gc_random() which is used by RAND_bytes in
> libextra/gnutls_openssl.c.  Otherwise, no, as far as I can see.

Indirectly it is used during key generation. I believe libgcrypt
uses GCRY_VERY_STRONG_RANDOM to generate an RSA key. This
is the reason exim was blocking. It was creating an RSA key per
connection (which is not really needed).

> Is exim using the OpenSSL compatibility interface?  Does it invoke
> RAND_bytes?

no, it uses a direct implementation.

> >  2. Does gnutls save the random seed file?
> >         gcry_control (GCRYCTL_SET_RANDOM_SEED_FILE, filename);
> >       atexit:
> >         gcry_control (GCRYCTL_UPDATE_RANDOM_SEED_FILE);
> No.  Should it?  What should we use as the filename?

I also don't think we should use it. gnutls doesn't need to know about that.
It could be used by exim though because of the way it works.

> >  3. Does the problem only occur for inetd invoked exims?
> I don't know.

It occurs for any way you run exim. The problem is that exim is
forking and then initializing gnutls and everything else after every fork.
As far as I was told, there is no other way to do that. However a fork
happens really often in exim, thus is causes that problem.




More information about the Gnutls-devel mailing list