On 2008-01-08 Werner Koch <[EMAIL PROTECTED]> wrote: > On Fri, 4 Jan 2008 17:01, [EMAIL PROTECTED] said:
> > Right. So what should applications like exim do exactly? Is there > My suggestion is: [...] Hello, which yields this stripped down version for exim: ------------------------------ diff -urNad exim4-4.68~/build-tree/src/tls-gnu.c exim4-4.68/build-tree/src/tls-gnu.c --- exim4-4.68~/build-tree/src/tls-gnu.c 2007-08-30 14:31:06.000000000 +0000 +++ exim4-4.68/build-tree/src/tls-gnu.c 2008-01-27 18:42:00.000000000 +0000 @@ -20,6 +20,7 @@ #include <gnutls/gnutls.h> #include <gnutls/x509.h> +#include <gcrypt.h> #define UNKNOWN_NAME "unknown" #define DH_BITS 1024 @@ -440,10 +441,32 @@ uschar *crl) { int rc; +uschar filename[200]; uschar *cert_expanded, *key_expanded, *cas_expanded, *crl_expanded; +gcry_error_t gcr_rc; initialized = (host == NULL)? INITIALIZED_SERVER : INITIALIZED_CLIENT; +/* Use a random_seed file for gcrypt's RNG */ +if (host_number_string != NULL) + { + if (!string_format(filename, sizeof(filename), "%s/random.seed%s", + spool_directory, host_number_string)) + return tls_error(US"overlong filename spool_directory/random.seedlocalhost_number", host, 0); + } +else + { + if (!string_format(filename, sizeof(filename), "%s/random.seed", + spool_directory)) + return tls_error(US"overlong filename spool_directory/random.seed", host, 0); + } + +gcr_rc = gcry_control (GCRYCTL_SET_RANDOM_SEED_FILE,filename); +if (gcr_rc) + return tls_error(US"Failure to set random_seed file", host, gcr_rc); + +gcry_control (GCRYCTL_INITIALIZATION_FINISHED, 0); + rc = gnutls_global_init(); if (rc < 0) return tls_error(US"tls-init", host, rc); @@ -1303,8 +1326,19 @@ void tls_close(BOOL shutdown) { +gcry_error_t gcr_rc; + if (tls_active < 0) return; /* TLS was not active */ +gcr_rc = gcry_control (GCRYCTL_UPDATE_RANDOM_SEED_FILE); + +if (gcr_rc) + { + DEBUG(D_tls) debug_printf( + "GCRYCTL_UPDATE_RANDOM_SEED_FILE failed: (%d): (%s)\n", + gcr_rc,gcry_strerror(gcr_rc)); + } + if (shutdown) { DEBUG(D_tls) debug_printf("tls_close(): shutting down TLS\n"); ------------------------------ Any obvious breakage? Exim does not use any threading. I have not included an gcry_check_version(NULL) since I thought gcry_control() would fail as reliably as gcry_check_version() would, if gcrypt was not available. thanks, cu andreas -- `What a good friend you are to him, Dr. Maturin. His other friends are so grateful to you.' `I sew his ears on from time to time, sure' -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]