Blob Blame History Raw
From deeb93c2fb7cc131741ced4877b75bcd3a64cef4 Mon Sep 17 00:00:00 2001
From: Andreas Schneider <asn@samba.org>
Date: Wed, 31 Jul 2019 15:38:50 +0200
Subject: [PATCH 070/187] lib:util: Add better documentation for
 generate_secret_buffer()

Signed-off-by: Andreas Schneider <asn@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
(cherry picked from commit bf52ab7d2982de84a68a1b9c6d2f68250b7e7cca)
---
 lib/util/genrand.c | 17 ++++++++++++-----
 lib/util/genrand.h |  6 +++++-
 2 files changed, 17 insertions(+), 6 deletions(-)

diff --git a/lib/util/genrand.c b/lib/util/genrand.c
index 76c2cb81962..a5809aa2bc9 100644
--- a/lib/util/genrand.c
+++ b/lib/util/genrand.c
@@ -25,19 +25,26 @@
 #include <gnutls/gnutls.h>
 #include <gnutls/crypto.h>
 
+/*
+ * Details about the GnuTLS CSPRNG:
+ *
+ * https://nikmav.blogspot.com/2017/03/improving-by-simplifying-gnutls-prng.html
+ */
+
 _PUBLIC_ void generate_random_buffer(uint8_t *out, int len)
 {
 	/* Thread and fork safe random number generator for temporary keys. */
 	gnutls_rnd(GNUTLS_RND_RANDOM, out, len);
 }
 
-/*
- * Keep generate_secret_buffer in case we ever want to do something
- * different
- */
 _PUBLIC_ void generate_secret_buffer(uint8_t *out, int len)
 {
-	/* Thread and fork safe random number generator for long term keys. */
+	/* The key generator, will re-seed after a fixed amount of bytes is
+	 * generated (typically less than the nonce), and will also re-seed
+	 * based on time, i.e., after few hours of operation without reaching
+	 * the limit for a re-seed. For its re-seed it mixes mixes data obtained
+	 * from the OS random device with the previous key.
+	 */
 	gnutls_rnd(GNUTLS_RND_KEY, out, len);
 }
 
diff --git a/lib/util/genrand.h b/lib/util/genrand.h
index 5af23100596..abb8ce2c10a 100644
--- a/lib/util/genrand.h
+++ b/lib/util/genrand.h
@@ -25,7 +25,11 @@
 void generate_random_buffer(uint8_t *out, int len);
 
 /**
- * Thread and fork safe random number generator for long term keys.
+ * @brief Generate random values for key buffers (e.g. session keys)
+ *
+ * @param[in]  out  A pointer to the buffer to fill with random data.
+ *
+ * @param[in]  len  The size of the buffer to fill.
  */
 void generate_secret_buffer(uint8_t *out, int len);
 
-- 
2.23.0