[Swan] Q: Generation of nonces and the use of PK11_GenerateRandom()

[Mirsad Todorovac]

Hi,

I have a question re: generation of nonces.

 From the line:

programs/pluto/crypt_ke.c:75: task->nonce = alloc_rnd_chunk(DEFAULT_NONCE_SIZE, "nonce");

I saw that this calls fill_rnd_chunk(chunk);
which calls get_rnd_bytes(&rnd, sizeof(rnd));
which in turn calls

	PK11_GenerateRandom(buffer, length)

from libnss.

I have cloned the libnss, but I cannot figure out how the PK11_GenerateRandom() works
and whether it uses nonces from the TPM2 chip?

Obviously, it is not likely as you use nonces from general purpose random numbers,
this is not going to be the case.

But if PK11_GenerateRandom() uses TPM2 for random numbers, and it gives them from a
limited space so the people and foreign govts wouldn't have perfect forward secrecy,
the TPM2 chip could give RNG from a rigged space that is much easier to crack in
offline breaking on dedicated clusters.

Personally, I do not use encrypted emails at all, but stuff like typing passwords
over open Wifi networks require a reliable VPN that can be trusted.

How safe are exactly the NSS PK11_GenerateRandom() random numbers and how really
random they are? I read from the source that it is supposed to be FIPS-compliant.

How safe I really am if the Windows 11 implementation of VPN uses TPM2-generated
nonces?

Thank you.

Best regards,

-- 
Mirsad Goran Todorovac
Sistem inženjer
Grafički fakultet | Akademija likovnih umjetnosti
Sveučilište u Zagrebu

System engineer
Faculty of Graphic Arts | Academy of Fine Arts
University of Zagreb, Republic of Croatia