Bug#448775: Uses too much entropy (Debian Bug #343085)
Andreas Metzler
ametzler at downhill.at.eu.org
Wed Jan 30 19:20:10 CET 2008
On 2008-01-08 Werner Koch <wk at gnupg.org> wrote:
> On Fri, 4 Jan 2008 17:01, simon at josefsson.org said:
> > Right. So what should applications like exim do exactly? Is there
> My suggestion is:
[...]
Hello,
which yields this stripped down version for exim:
------------------------------
diff -urNad exim4-4.68~/build-tree/src/tls-gnu.c exim4-4.68/build-tree/src/tls-gnu.c
--- exim4-4.68~/build-tree/src/tls-gnu.c 2007-08-30 14:31:06.000000000 +0000
+++ exim4-4.68/build-tree/src/tls-gnu.c 2008-01-27 18:42:00.000000000 +0000
@@ -20,6 +20,7 @@
#include <gnutls/gnutls.h>
#include <gnutls/x509.h>
+#include <gcrypt.h>
#define UNKNOWN_NAME "unknown"
#define DH_BITS 1024
@@ -440,10 +441,32 @@
uschar *crl)
{
int rc;
+uschar filename[200];
uschar *cert_expanded, *key_expanded, *cas_expanded, *crl_expanded;
+gcry_error_t gcr_rc;
initialized = (host == NULL)? INITIALIZED_SERVER : INITIALIZED_CLIENT;
+/* Use a random_seed file for gcrypt's RNG */
+if (host_number_string != NULL)
+ {
+ if (!string_format(filename, sizeof(filename), "%s/random.seed%s",
+ spool_directory, host_number_string))
+ return tls_error(US"overlong filename spool_directory/random.seedlocalhost_number", host, 0);
+ }
+else
+ {
+ if (!string_format(filename, sizeof(filename), "%s/random.seed",
+ spool_directory))
+ return tls_error(US"overlong filename spool_directory/random.seed", host, 0);
+ }
+
+gcr_rc = gcry_control (GCRYCTL_SET_RANDOM_SEED_FILE,filename);
+if (gcr_rc)
+ return tls_error(US"Failure to set random_seed file", host, gcr_rc);
+
+gcry_control (GCRYCTL_INITIALIZATION_FINISHED, 0);
+
rc = gnutls_global_init();
if (rc < 0) return tls_error(US"tls-init", host, rc);
@@ -1303,8 +1326,19 @@
void
tls_close(BOOL shutdown)
{
+gcry_error_t gcr_rc;
+
if (tls_active < 0) return; /* TLS was not active */
+gcr_rc = gcry_control (GCRYCTL_UPDATE_RANDOM_SEED_FILE);
+
+if (gcr_rc)
+ {
+ DEBUG(D_tls) debug_printf(
+ "GCRYCTL_UPDATE_RANDOM_SEED_FILE failed: (%d): (%s)\n",
+ gcr_rc,gcry_strerror(gcr_rc));
+ }
+
if (shutdown)
{
DEBUG(D_tls) debug_printf("tls_close(): shutting down TLS\n");
------------------------------
Any obvious breakage? Exim does not use any threading. I have not
included an gcry_check_version(NULL) since I thought gcry_control()
would fail as reliably as gcry_check_version() would, if gcrypt was
not available.
thanks, cu andreas
--
`What a good friend you are to him, Dr. Maturin. His other friends are
so grateful to you.'
`I sew his ears on from time to time, sure'
More information about the Gcrypt-devel
mailing list