Uses too much entropy (Debian Bug #343085)

Fri Jan 4 18:06:49 CET 2008

On 2008-01-04 Simon Josefsson <simon at josefsson.org> wrote:
[...]
>   2) To make exim link to and call libgcrypt's functions to read and
>      update a random seed file instead?
[...]
> For simplicity and non-experimentalness, I would recommend 2).  I can
> assist in implementing this in exim, if that would help.  We'd
> definitely need a good example of how to do this in the gnutls manual
> anyway.
[...]

Well, the basic patch for testing seems to be this one, basically
identical to the skeleton you described. I gets down entropy-usage
for a single STARTTLS to <300 bits from > 3000. 

----------------------------
diff -Nur exim-orig/src/tls-gnu.c exim-4.68/src/tls-gnu.c

--- exim-orig/build-tree/src/tls-gnu.c	2007-08-30 16:31:06.000000000 +0200
+++ exim-4.68/build-tree/src/tls-gnu.c	2008-01-04 15:58:40.000000000 +0100
@@ -20,6 +20,7 @@
 #include <gnutls/gnutls.h>
 #include <gnutls/x509.h>
 
+#include <gcrypt.h>
 
 #define UNKNOWN_NAME "unknown"
 #define DH_BITS      1024
@@ -444,6 +445,8 @@
 
 initialized = (host == NULL)? INITIALIZED_SERVER : INITIALIZED_CLIENT;
 
+gcry_control (GCRYCTL_SET_RANDOM_SEED_FILE,"/var/run/exim4/random.seed");
+
 rc = gnutls_global_init();
 if (rc < 0) return tls_error(US"tls-init", host, rc);
 
@@ -1305,6 +1308,7 @@
 {
 if (tls_active < 0) return;  /* TLS was not active */
 
+gcry_control (GCRYCTL_UPDATE_RANDOM_SEED_FILE);
 if (shutdown)
   {
   DEBUG(D_tls) debug_printf("tls_close(): shutting down TLS\n");
----------------------------

Error checking, and having the file in spool_directory instead (since
it is a private directoy present on any exim installation) is missing.
cu andreas
-- 
`What a good friend you are to him, Dr. Maturin. His other friends are
so grateful to you.'
`I sew his ears on from time to time, sure'



