[gnutls-dev] set random seed file via gnutls api

Peter O'Gorman gnutls-dev at mlists.thewrittenword.com
Sat Apr 28 18:04:26 CEST 2007


[resending from the subscribed address - sorry]

On Sat, Apr 28, 2007 at 10:57:40AM +0200, Werner Koch wrote:
> On Sat, 28 Apr 2007 02:10, gnutls-dev at mlists.thewrittenword.com said:
> 
> > Looks like I misread the gcrypt options, there is no current API for
> > changing the egd socket. Sorry. I am hopeful that something will be
> > added to the next major release of libgcrypt, if so we will come back
> > with a patch for GnuTLS.
> 
> You can change the socket used for EGD with a configure option.  Since
> early GnuPG times, the suggestion has always been to use a symlink
> instead.
> 
> What is the reason that you need to change the name of the socket?
> 1.3.0 is scheduled for next week

We use the configure option to set the socket to a path under /var,
only the superuser can start prngd with the egd socket at that path.
If prngd is not running, curl does not work, libgcrypt calls exit(2),
the user is unable to download even http:// urls. 

We patched curl locally to delay init of gnutls, so stuff like `curl
--version' does not cause gcrypt to call exit(2), but we'd still like
users without privs to be able to download https:// urls without the
egd socket at the configured path. An ordinary user can start prngd
using a different path and can then use curl's --egd-file option to
point curl (and from there gnutls and gcrypt) at this socket, thus
allowing them to download https:// urls.

I posted a patch to gcrypt-devel.

Is there some reason that you consider this a bad idea?

Peter





More information about the Gnutls-dev mailing list