From deeb93c2fb7cc131741ced4877b75bcd3a64cef4 Mon Sep 17 00:00:00 2001 From: Andreas Schneider Date: Wed, 31 Jul 2019 15:38:50 +0200 Subject: [PATCH 070/187] lib:util: Add better documentation for generate_secret_buffer() Signed-off-by: Andreas Schneider Reviewed-by: Andrew Bartlett (cherry picked from commit bf52ab7d2982de84a68a1b9c6d2f68250b7e7cca) --- lib/util/genrand.c | 17 ++++++++++++----- lib/util/genrand.h | 6 +++++- 2 files changed, 17 insertions(+), 6 deletions(-) diff --git a/lib/util/genrand.c b/lib/util/genrand.c index 76c2cb81962..a5809aa2bc9 100644 --- a/lib/util/genrand.c +++ b/lib/util/genrand.c @@ -25,19 +25,26 @@ #include #include +/* + * Details about the GnuTLS CSPRNG: + * + * https://nikmav.blogspot.com/2017/03/improving-by-simplifying-gnutls-prng.html + */ + _PUBLIC_ void generate_random_buffer(uint8_t *out, int len) { /* Thread and fork safe random number generator for temporary keys. */ gnutls_rnd(GNUTLS_RND_RANDOM, out, len); } -/* - * Keep generate_secret_buffer in case we ever want to do something - * different - */ _PUBLIC_ void generate_secret_buffer(uint8_t *out, int len) { - /* Thread and fork safe random number generator for long term keys. */ + /* The key generator, will re-seed after a fixed amount of bytes is + * generated (typically less than the nonce), and will also re-seed + * based on time, i.e., after few hours of operation without reaching + * the limit for a re-seed. For its re-seed it mixes mixes data obtained + * from the OS random device with the previous key. + */ gnutls_rnd(GNUTLS_RND_KEY, out, len); } diff --git a/lib/util/genrand.h b/lib/util/genrand.h index 5af23100596..abb8ce2c10a 100644 --- a/lib/util/genrand.h +++ b/lib/util/genrand.h @@ -25,7 +25,11 @@ void generate_random_buffer(uint8_t *out, int len); /** - * Thread and fork safe random number generator for long term keys. + * @brief Generate random values for key buffers (e.g. session keys) + * + * @param[in] out A pointer to the buffer to fill with random data. + * + * @param[in] len The size of the buffer to fill. */ void generate_secret_buffer(uint8_t *out, int len); -- 2.23.0