[gnutls-dev] Re: living without global variables

Simon Josefsson jas at extundo.com
Mon Jan 9 14:48:43 CET 2006


bryanh at giraffe-data.com (Bryan Henderson) writes:

> I'm not at all comfortable having my encryption library know what a
> process is, and even less comfortable having it know what a thread is.

It is difficult to avoid that: If you generate the random data in your
process, it will generate the same random data in two processes after
a fork().  Libgcrypt now detect this and re-seed itself when this
happen.  There may be similar issues with threads too.

I'm beginning to think that randomness is not something an application
or library should ever deal with internally.  It should read it from
an external device or socket.  File access to a device is
traditionally better synchronized, and every process that access it
get "its own" device.

/dev/random and /dev/urandom would work good on most desktop PCs.  If
you need something faster or better, write a daemon that collect
entropy, and make it serve data in /dev/*random.

This approach would also reduce complexity in libgcrypt.

/Simon




More information about the Gnutls-devel mailing list