[Help-gnutls] Re: gnutls multi-threaded
Simon Josefsson
jas at extundo.com
Wed Apr 13 16:35:08 CEST 2005
Daniel Stenberg <daniel at haxx.se> writes:
> Reading another thread in the gnutls list, it came to my attention that using
> GnuTLS in a multi-threaded environment requires some locking functions to be
> set for the underlying crypto lib (libgcrypt).
Hi! Yes, this is sadly the situation right now. I don't particularly
fancy libgcrypt's design choice when it comes to threading. That has
been one of the reasons to work on modularizing the crypto stuff in
GnuTLS. Alas, I haven't had time to finish it yet. The goal is to be
able to replace libgcrypt with something else, and also include a
minimalistic and portable crypto library (e.g., Nettle). Then GnuTLS
will be able to build as a standalone package, which is better for
testing.
I have started on a backend agnostic crypto API, called "Generic
Crypto", it is in gnutls/crypto/ right now. This is (or will be) used
by GnuTLS, Shishi, GNU SASL, and possible other projects, and support
libgcrypt and Nettle as crypto-backends. It does hashing, randomness,
and symmetric ciphers now. Adding multiple-precision computations,
public-key operations, s-exp and possibly more is an area which could
use some help. Any comments on the interfaces are appreciated.
> Is there a descriptive web page anywhere that explains this that I can point
> libcurl users to?
Eric Leblond answered this, I think.
> Many libcurl users run multi-threaded programs and this is
> bound to hit the fan as soon as people start trying the GnuTLS-version of
> libcurl more.
Right.
> I'm considering providing this locking/mutex ability in an API to libcurl, so
> that libcurl-using apps can be agnostic to which secure layer libcurl has been
> built to use. But I don't know yet if that is feasable.
>
> Is there a good reason why GnuTLS doesn't export such methods by itself? I
> mean, isn't it rather ugly to force lib-users to have to assume that GnuTLS
> uses libgcrypt?
>
> Or have I misunderstood things?
No, and I agree with you, it is not elegant now. One problem with
adding these methods is that it suggest to people that they should
always use them, and that it is a good thing to use them, which I
think sends the wrong signals. But as you say, it may be even more
inelegant to force GnuTLS users to use libgcrypt directly. I think
these locking/mutex hooks should be added to the GnuTLS API. Patches
welcome..
Regards,
Simon
More information about the Gnutls-help
mailing list