Using libgcrypt and a library using it
Jean-Philippe Garcia Ballester
giga at le-pec.org
Sun Jan 15 18:00:36 CET 2006
On Sunday 15 January 2006 17:41, Werner Koch wrote:
> On Sun, 15 Jan 2006 13:45:13 +0100, Jean-Philippe Garcia Ballester said:
> > We're checking if libgcrypt has already been initialized, so that we
> > don't initialize it again in the library. But what if it has already been
> > initalized without secure memory?
>
> You mean by explictly disabling secure memory? Thn there is no way to
> change this later (due to the mlock restrictions when using Linux)
I mean in the program, there is just a call to :
gcry_control(GCRYCTL_INITIALIZATION_FINISHED,0);
In the library used by the program, there is
if (!gcry_control(GCRYCTL_INITIALIZATION_FINISHED_P,0)){
gcry_control(GCRYCTL_INIT_SECMEM,524288,0);
gcry_control(GCRYCTL_INITIALIZATION_FINISHED,0);
}
The gcry_control(GCRYCTL_INIT_SECMEM,524288,0) will not be done since
libgcrypt has already been initialized.
>
> > Is there something in gcry_control to check that, and the amount of
> > secure memory (the documentation to gcry_control is either hard to find
> > or inexistant)? Is there a solution to this problem other than saying
>
> No. There is only the GCRYCTL_DUMP_SECMEM_STATS but this does not
> help you program. Adding such a feature isn't hard and if you really
> need it, we can do so.
Not that it's really needed, but if some user initalize libgcrypt without
initalizing secure memory, that would end up in bugs coming from our lib.
The possibility to check if secure memory has been initialize and if there's
enough and the possibility to initalize secure memory and adjust the size of
secure memory after the call to
gcry_control(GCRYCTL_INITIALIZATION_FINISHED,0) would prevent users to
initialize libgcrypt in their programs like our library should do.
--
Jean-Philippe Garcia Ballester
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 189 bytes
Desc: not available
Url : /pipermail/attachments/20060115/e065735f/attachment.pgp
More information about the Gcrypt-devel
mailing list