Using libgcrypt and a library using it

Werner Koch wk at
Mon Jan 16 16:40:20 CET 2006

On Sun, 15 Jan 2006 18:00:36 +0100, Jean-Philippe Garcia Ballester said:

>   gcry_control(GCRYCTL_INIT_SECMEM,524288,0);

Are you really sure that you need 512k for secure memory?  The
algorithm to maintain that memory area is not very advanced and too
many allocs/frees may slow those oeprations down.

> The possibility to check if secure memory has been initialize and if there's 
> enough and the possibility to initalize secure memory and adjust the size of 
> secure memory after the call to 
> gcry_control(GCRYCTL_INITIALIZATION_FINISHED,0) would prevent users to 

That is unfortunately not possible.  The whole mess with mlocking is
that under Linux you need to have root rights or appropriate
capabilities.  After the initialization Libgcrypt will relinquish
these permissions (unless you are running under root).  There is at
least one assertion to make sure that rights have been dropped.

These mlock restrictions are really silly given that there so many
other ways of eating up resources.  The new approach to allow for a
certain amount of locked memory seems to be more sensible to the
problem but as of now we can't rely on it.



More information about the Gcrypt-devel mailing list