Re: Bug#448775: Uses too much entropy (Debian Bug #343085)

[Simon Josefsson]

Werner Koch <address@hidden> writes:

> On Fri,  4 Jan 2008 15:16, address@hidden said:
>
>> int
>> gnutls_set_random_seed_file (const char *filename);
>
> I don't think that is a good idea.  gnutls does not provide the required
> thread hook function for libgcrypt and thus the appliaction needs to do
> this.  If you want these functions you should also add the threading
> wrappers.

Ok.

> Another problem is that if gnutls is used indirectly no seed file is
> used and thus the appliaction needs to do it anyway.  The seed file
> should be application specific and not library specific.

My idea would be that the filename in the API comes from the
application.

> Thus I suggest to document this and change the application.

Right.  So what should applications like exim do exactly?  Is there
anything more to think about than this:

#include <gcrypt.h>

int main ()
{
  gcry_error_t rc;

  rc = gcry_control (GCRYCTL_SET_RANDOM_SEED_FILE,
                     "/var/run/exim4/random.seed");
  if (rc)
    error (EXIT_FAILURE, 0, "gcry_control SET_RANDOM_SEED_FILE");

  DoIT();  /* initialize gnutls, runs the MTA.. */

  rc = gcry_control (GCRYCTL_UPDATE_RANDOM_SEED_FILE);
  if (rc)
    fprintf (stderr,
       "warning: gcry_control UPDATE_RANDOM_SEED_FILE failed (%d): %s",
       rc, gpg_strerror (rc));

  return 0;
}

/Simon