Bug#448775: Uses too much entropy (Debian Bug #343085)
Simon Josefsson
simon at josefsson.org
Fri Jan 4 17:01:20 CET 2008
Werner Koch <wk at gnupg.org> writes:
> On Fri, 4 Jan 2008 15:16, simon at josefsson.org said:
>
>> int
>> gnutls_set_random_seed_file (const char *filename);
>
> I don't think that is a good idea. gnutls does not provide the required
> thread hook function for libgcrypt and thus the appliaction needs to do
> this. If you want these functions you should also add the threading
> wrappers.
Ok.
> Another problem is that if gnutls is used indirectly no seed file is
> used and thus the appliaction needs to do it anyway. The seed file
> should be application specific and not library specific.
My idea would be that the filename in the API comes from the
application.
> Thus I suggest to document this and change the application.
Right. So what should applications like exim do exactly? Is there
anything more to think about than this:
#include <gcrypt.h>
int main ()
{
gcry_error_t rc;
rc = gcry_control (GCRYCTL_SET_RANDOM_SEED_FILE,
"/var/run/exim4/random.seed");
if (rc)
error (EXIT_FAILURE, 0, "gcry_control SET_RANDOM_SEED_FILE");
DoIT(); /* initialize gnutls, runs the MTA.. */
rc = gcry_control (GCRYCTL_UPDATE_RANDOM_SEED_FILE);
if (rc)
fprintf (stderr,
"warning: gcry_control UPDATE_RANDOM_SEED_FILE failed (%d): %s",
rc, gpg_strerror (rc));
return 0;
}
/Simon
More information about the Gnutls-devel
mailing list