[gnutls-dev] Re: living without global variables
jas at extundo.com
Mon Jan 9 14:48:43 CET 2006
bryanh at giraffe-data.com (Bryan Henderson) writes:
> I'm not at all comfortable having my encryption library know what a
> process is, and even less comfortable having it know what a thread is.
It is difficult to avoid that: If you generate the random data in your
process, it will generate the same random data in two processes after
a fork(). Libgcrypt now detect this and re-seed itself when this
happen. There may be similar issues with threads too.
I'm beginning to think that randomness is not something an application
or library should ever deal with internally. It should read it from
an external device or socket. File access to a device is
traditionally better synchronized, and every process that access it
get "its own" device.
/dev/random and /dev/urandom would work good on most desktop PCs. If
you need something faster or better, write a daemon that collect
entropy, and make it serve data in /dev/*random.
This approach would also reduce complexity in libgcrypt.
More information about the Gnutls-devel