* Simon Josefsson: > Ok. Still, my main question is whether GnuTLS could utilize these hooks > somehow. I guess we could have two functions: > > int > gnutls_set_random_seed_file (const char *filename); > int > gnutls_update_random_seed (); > > The first function would have to be called before gnutls_global_init(). > Then exim could invoke the function, to avoid having to call libgcrypt > directly.
I'm not sure how this applies to Exim, though. In many interesting scenarios, we've got a central daemon process. We could try to grab an exclusive log on the seed file, and if it succeeds, call gnutls_set_random_seed_file, and the update function when the daemon exits. However, I'm not really sure if this helps much because GNUTLS isn't run until after a fork, and the library needs to reinitialize the random pool anyway. We'd need a separate daemon for that (IIRC, this is what Cryptlib does). Or we could fix the kernel. The latter is hard because it is kind of difficult to show that there actually is a problem. Portability considerations favor the daemon approach, too, if you aren't interested in shifting blame around. -- Florian Weimer <[EMAIL PROTECTED]> BFK edv-consulting GmbH http://www.bfk.de/ Kriegsstraße 100 tel: +49-721-96201-1 D-76133 Karlsruhe fax: +49-721-96201-99
