libgcrypt unnecessarily exhausts /dev/random

Binary package hint: libgcrypt11

libgcrypt reads more bytes from /dev/random than the application has requested. If a process needs only 16 or 32 random bytes for an encryption key, the extra bytes read by the library are wasted. Subsequent reads from /dev/random by other processes will have to wait until enough randomness is accumulated again. The waiting time will be especially long when entropy sources are scarce (no network, no hard disks, lack of keyboard input, etc.).

In my tests using libgcrypt11 version 1.2.4-2ubuntu2 under Ubuntu 7.10 Gutsy, reading 1 random byte with gcry_random_bytes_secure(1, GCRY_VERY_STRONG_RANDOM) resulted in the read of 300 bytes from /dev/random and 360 bytes from /dev/urandom, according to strace. It should have been exactly 1 byte from /dev/random and no reads from /dev/urandom at all.

If there is a considerable performance hit associated with on-demand reading from /dev/random, the library API should be extended to provide a way to disable buffering or to specify in advance how much random bytes the application will need. Thus applications using the new API will be able to avoid wasting random bytes. Depending on the real usage of libgcrypt, it may be worthwhile to change the default behavior so that less random bytes are wasted.