On 2008-01-04 Simon Josefsson <[EMAIL PROTECTED]> wrote:
[...]
> 2) To make exim link to and call libgcrypt's functions to read and
> update a random seed file instead?
[...]
> For simplicity and non-experimentalness, I would recommend 2). I can
> assist in implementing this in exim, if that would help. We'd
> definitely need a good example of how to do this in the gnutls manual
> anyway.
[...]
Well, the basic patch for testing seems to be this one, basically
identical to the skeleton you described. I gets down entropy-usage
for a single STARTTLS to <300 bits from > 3000.
----------------------------
diff -Nur exim-orig/src/tls-gnu.c exim-4.68/src/tls-gnu.c
--- exim-orig/build-tree/src/tls-gnu.c 2007-08-30 16:31:06.000000000 +0200
+++ exim-4.68/build-tree/src/tls-gnu.c 2008-01-04 15:58:40.000000000 +0100
@@ -20,6 +20,7 @@
#include <gnutls/gnutls.h>
#include <gnutls/x509.h>
+#include <gcrypt.h>
#define UNKNOWN_NAME "unknown"
#define DH_BITS 1024
@@ -444,6 +445,8 @@
initialized = (host == NULL)? INITIALIZED_SERVER : INITIALIZED_CLIENT;
+gcry_control (GCRYCTL_SET_RANDOM_SEED_FILE,"/var/run/exim4/random.seed");
+
rc = gnutls_global_init();
if (rc < 0) return tls_error(US"tls-init", host, rc);
@@ -1305,6 +1308,7 @@
{
if (tls_active < 0) return; /* TLS was not active */
+gcry_control (GCRYCTL_UPDATE_RANDOM_SEED_FILE);
if (shutdown)
{
DEBUG(D_tls) debug_printf("tls_close(): shutting down TLS\n");
----------------------------
Error checking, and having the file in spool_directory instead (since
it is a private directoy present on any exim installation) is missing.
cu andreas
--
`What a good friend you are to him, Dr. Maturin. His other friends are
so grateful to you.'
`I sew his ears on from time to time, sure'
--
To UNSUBSCRIBE, email to [EMAIL PROTECTED]
with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
