[gnutls-devel] delaying the initialization of random generator

Nikos Mavrogiannopoulos nmav at gnutls.org
Wed Nov 2 08:54:18 CET 2016


On Tue, Nov 1, 2016 at 2:39 PM, Andreas Metzler <ametzler at bebt.de> wrote:
>> Any opinions on that? The bottom line, is that we cannot completely
>> solve the blocking issue, but we can improve it on the occasions
>> mentioned above. Should we try and introduce some complexity, or
>> should we ignore it and expect the kernel to address it?
> I can certainly understand the problem. GnuTLS is automatically
> initialized through the library constructor at program startup. This
> might not even be necessary, the program might run without using GnuTLS
> functions ATM, or might just be an indirect dependency (e.g. cups). In
> these use cases GnuTLS should not waste a possible rare resource like
> entropy.

Well strictly speaking, with getrandom() there is no issue of
"depleting" entropy (it is a cprng, it will provide as much data as
asked). The issue is that the system can boot without it being
initialized, and thus a call to it will block. Said that, I'm now also
tending towards delaying that initialization because I see no other
practical way to fix it (the linux kernel is usually the hardest thing
to replace on a system, and even if the issue is fixed on a new
version, all previous versions will be problematic).

regards,
Nikos



More information about the Gnutls-devel mailing list