[gnutls-devel] delaying the initialization of random generator
Andreas Metzler
ametzler at bebt.de
Tue Nov 1 14:39:46 CET 2016
On 2016-10-31 Nikos Mavrogiannopoulos <n.mavrogiannopoulos at gmail.com> wrote:
> Since version 3.5.3, gnutls uses the getrandom() system call on the
> kernels that it is available, replacing the /dev/urandom based
> initialization of the included RNG. However, that comes with few
> side-effects. Because getrandom() blocks prior to the linux kernel RNG
> being initialized (unlike /dev/urandom), that means that applications
> that load early on boot and link with gnutls will be blocked until
> that kernel initialization.
> This has been already been seen in VMs, on the cases linked by [0]. A
> work-around that can be applied to gnutls is delaying the internal RNG
> initialization to the first call of gnutls_rnd(). That will allow
> applications which do not use the RNG immediately to load faster,
> while on the other hand introduces some complexity and does not
> address the problem when for example the system is in FIPS140-2 mode
> which requires some on-library-load tests which need to call
> gnutls_rnd(). -(here I'm also worried about future additions that may
> require random numbers on library load and negate any fixes for that
> issue).
> Any opinions on that? The bottom line, is that we cannot completely
> solve the blocking issue, but we can improve it on the occasions
> mentioned above. Should we try and introduce some complexity, or
> should we ignore it and expect the kernel to address it?
[...]
Hello,
I can certainly understand the problem. GnuTLS is automatically
initialized through the library constructor at program startup. This
might not even be necessary, the program might run without using GnuTLS
functions ATM, or might just be an indirect dependency (e.g. cups). In
these use cases GnuTLS should not waste a possible rare resource like
entropy.
So I would throw in a small unqualified vote for the split.
cu Andreas
--
`What a good friend you are to him, Dr. Maturin. His other friends are
so grateful to you.'
`I sew his ears on from time to time, sure'
More information about the Gnutls-devel
mailing list