Re: Bug#448775: Uses too much entropy (Debian Bug #343085)

[Werner Koch]

On Fri,  4 Jan 2008 17:01, address@hidden said:

> Right.  So what should applications like exim do exactly?  Is there

My suggestion is:

int
main ()
{
  int rc;
        
#ifdef WE_USE_PTHREADS
  rc = gcry_control (GCRYCTL_SET_THREAD_CBS, &gcry_threads_pthread);
  if (rc)
    error (EXIT_FAILURE, 0, "can't register Pthreads with Libgcrypt: %s\n",
           gpg_strerror (rc));
#endif

#ifndef WE_NEED_SECMEM
  gcry_control (GCRYCTL_DISABLE_SECMEM, 0);
#endif

  if (!gcry_check_version (NEED_LIBGCRYPT_VERSION) )
    error (EXIT_FAILURE, 0, "%s is too old (need %s, have %s)\n"), "libgcrypt",
           NEED_LIBGCRYPT_VERSION, gcry_check_version (NULL) );

  rc = gcry_control (GCRYCTL_SET_RANDOM_SEED_FILE, "foo/random-seed");
  if (rc)
    error (0, 0, "Warning: Error reading seed file: %s", gpg_strerror (rc));

#ifdef WE_NEED_SECMEM
  gcry_control (GCRYCTL_INIT_SECMEM, 32768, 0);
#endif

  gcry_control (GCRYCTL_INITIALIZATION_FINISHED, 0);

  DoIT();  /* initialize gnutls, runs the MTA.. */

  rc = gcry_control (GCRYCTL_UPDATE_RANDOM_SEED_FILE);
  if (rc)
    error (0, 0, "Warning: Updating seed file failed: %s", gpg_strerror (rc));
  return 0;
}


If you don't want to track libgcrypt dependencies just use 

  if (!gcry_check_version (NULL) )
    error (EXIT_FAILURE, 0, "problem intializing Libgcrypt version %s"), 
           gcry_check_version (NULL) );

This is a sufficient initialization.  GNUTLS may later still check the
version.  GNUTLS or any other library may use

  if (!gcry_control (GCRYCTL_INITIALIZATION_FINISHED_P))
    missing_libgcrypt_initialization ();

to check whether libgcrypt has already been initialized.  Nikos and me
came up with that scheme some years ago.


Salam-Shalom,

   Werner


-- 
Die Gedanken sind frei.  Auschnahme regelt ein Bundeschgesetz.