diff options
| author |  guilhem <guilhem@fripost.org> | 2013-04-05 21:06:16 +0200 |
|---|---|---|
| committer |  Joey Hess <joey@kitenet.net> | 2013-04-06 16:09:51 -0400 |
| commit | a7f50205bb1ccd41d4a9ab4e11d984e643be755f (patch) | |
| tree | 519c7148a87575896450b7dc43fc58e8b34dfe02 /Utility/Gpg.hs | |
| parent | f758f6d5cbef989bff75fcd140edb8e0b8899b84 (diff) | |
Generate ciphers with a better entropy.
Unless highRandomQuality=false (or --fast) is set, use Libgcypt's
'GCRY_VERY_STRONG_RANDOM' level by default for cipher generation, like
it's done for OpenPGP key generation.
On the assistant side, the random quality is left to the old (lower)
level, in order not to scare the user with an enless page load due to
the blocking PRNG waiting for IO actions.
Diffstat (limited to 'Utility/Gpg.hs')
| -rw-r--r-- | Utility/Gpg.hs | 16 |
1 files changed, 11 insertions, 5 deletions
diff --git a/Utility/Gpg.hs b/Utility/Gpg.hs index c31755d62..4a13d456c 100644 --- a/Utility/Gpg.hs +++ b/Utility/Gpg.hs @@ -85,7 +85,8 @@ feedRead params passphrase feeder reader = do reader from {- Finds gpg public keys matching some string. (Could be an email address, - - a key id, or a name. -} + - a key id, or a name; See the section 'HOW TO SPECIFY A USER ID' of + - GnuPG's manpage.) -} findPubKeys :: String -> IO KeyIds findPubKeys for = KeyIds . parse <$> readStrict params where @@ -97,8 +98,8 @@ findPubKeys for = KeyIds . parse <$> readStrict params {- Creates a block of high-quality random data suitable to use as a cipher. - It is armored, to avoid newlines, since gpg only reads ciphers up to the - first newline. -} -genRandom :: Int -> IO String -genRandom size = checksize <$> readStrict +genRandom :: Bool -> Int -> IO String +genRandom highQuality size = checksize <$> readStrict [ Params params , Param $ show randomquality , Param $ show size @@ -106,8 +107,13 @@ genRandom size = checksize <$> readStrict where params = "--gen-random --armor" - -- 1 is /dev/urandom; 2 is /dev/random - randomquality = 1 :: Int + -- See http://www.gnupg.org/documentation/manuals/gcrypt/Quality-of-random-numbers.html + -- for the meaning of random quality levels. + -- The highest available is 2, which is the default for OpenPGP + -- key generation; Note that it uses the blocking PRNG /dev/random + -- on the Linux kernel, hence the running time may take a while. + randomquality :: Int + randomquality = if highQuality then 2 else 1 {- The size is the number of bytes of entropy desired; the data is - base64 encoded, so needs 8 bits to represent every 6 bytes of |