[gnutls-dev] Re: Feature request: not really random session keys

Florian Weimer fw at deneb.enyo.de
Wed Jan 18 14:30:39 CET 2006


* Simon Josefsson:

> Perhaps someone with this problem could debug exactly what is
> accessing /dev/random?

Okay, I'll try to get a backtrace.  In the meantime, here's what I
found by looking at the source code.

The RSA-based authentication function generates a session key only on
the client side (lib/auth_rsa.c, _gnutls_gen_rsa_client_kx):

  if (gc_pseudo_random(session->key->key.data,
                       session->key->key.size) != GC_OK) {
    gnutls_assert();
    return GNUTLS_E_RANDOM_FAILED;
  }

gc_pseudo_random (in gl/gc-libgcrypt.c) looks like this:

  gc_pseudo_random (char *data, size_t datalen)
  {
    gcry_randomize ((unsigned char *) data, datalen, GCRY_STRONG_RANDOM);
    return GC_OK;
  }

The various DH implementations seem to end up calling
gnutls_calc_dh_secret in lib/gnutls_dh.c:

  do {
      _gnutls_mpi_randomize(x, (x_size / 8) * 8, GCRY_STRONG_RANDOM);
      /* Check whether x is zero.
       */
  } while( _gnutls_mpi_cmp_ui( x, 0)==0);

_gnutls_mpi_randomize is actually gcry_mpi_randomize.  If I read the
libgcrypt source correctly GCRY_STRONG_RANDOM maps to level 2, and
this means that a corresponding number of bits has to be read from
/dev/random.




More information about the Gnutls-devel mailing list