Using libgcrypt and a library using it

Jean-Philippe Garcia Ballester giga at le-pec.org
Sun Jan 15 18:00:36 CET 2006 

On Sunday 15 January 2006 17:41, Werner Koch wrote:
> On Sun, 15 Jan 2006 13:45:13 +0100, Jean-Philippe Garcia Ballester said:
> >   We're checking if libgcrypt has already been initialized, so that we
> > don't initialize it again in the library. But what if it has already been
> > initalized without secure memory?
>
> You mean by explictly disabling secure memory?  Thn there is no way to
> change this later (due to the mlock restrictions when using Linux)

I mean in the program, there is just a call to :
gcry_control(GCRYCTL_INITIALIZATION_FINISHED,0);

In the library used by the program, there is 
if (!gcry_control(GCRYCTL_INITIALIZATION_FINISHED_P,0)){
  gcry_control(GCRYCTL_INIT_SECMEM,524288,0);
  gcry_control(GCRYCTL_INITIALIZATION_FINISHED,0);
}

The gcry_control(GCRYCTL_INIT_SECMEM,524288,0) will not be done since 
libgcrypt has already been initialized.

>
> >   Is there something in gcry_control to check that, and the amount of
> > secure memory (the documentation to gcry_control is either hard to find
> > or inexistant)? Is there a solution to this problem other than saying
>
> No.  There is only the GCRYCTL_DUMP_SECMEM_STATS but this does not
> help you program.  Adding such a feature isn't hard and if you really
> need it, we can do so.

Not that it's really needed, but if some user initalize libgcrypt without 
initalizing secure memory, that would end up in bugs coming from our lib.
The possibility to check if secure memory has been initialize and if there's 
enough and the possibility to initalize secure memory and adjust the size of 
secure memory after the call to 
gcry_control(GCRYCTL_INITIALIZATION_FINISHED,0) would prevent users to 
initialize libgcrypt in their programs like our library should do.

-- 
Jean-Philippe Garcia Ballester
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 189 bytes
Desc: not available
Url : /pipermail/attachments/20060115/e065735f/attachment.pgp

More information about the Gcrypt-devel mailing list