[gnutls-devel] delaying the initialization of random generator
Nikos Mavrogiannopoulos
nmav at gnutls.org
Fri Nov 4 10:32:37 CET 2016
On Wed, Nov 2, 2016 at 8:54 AM, Nikos Mavrogiannopoulos <nmav at gnutls.org> wrote:
> On Tue, Nov 1, 2016 at 2:39 PM, Andreas Metzler <ametzler at bebt.de> wrote:
>>> Any opinions on that? The bottom line, is that we cannot completely
>>> solve the blocking issue, but we can improve it on the occasions
>>> mentioned above. Should we try and introduce some complexity, or
>>> should we ignore it and expect the kernel to address it?
>> I can certainly understand the problem. GnuTLS is automatically
>> initialized through the library constructor at program startup. This
>> might not even be necessary, the program might run without using GnuTLS
>> functions ATM, or might just be an indirect dependency (e.g. cups). In
>> these use cases GnuTLS should not waste a possible rare resource like
>> entropy.
> Well strictly speaking, with getrandom() there is no issue of
> "depleting" entropy (it is a cprng, it will provide as much data as
> asked). The issue is that the system can boot without it being
> initialized, and thus a call to it will block. Said that, I'm now also
> tending towards delaying that initialization because I see no other
> practical way to fix it (the linux kernel is usually the hardest thing
> to replace on a system, and even if the issue is fixed on a new
> version, all previous versions will be problematic).
To conclude that, I've included in GnuTLS 3.5.6 the delayed
initialization of rng. That should address the issues found so far. If
there are new issues found because of this change, it will be
reconsidered.
regards,
Nikos
More information about the Gnutls-devel
mailing list