mike-jumper commented on a change in pull request #321:
URL: https://github.com/apache/guacamole-server/pull/321#discussion_r561319738
##########
File path: src/common-ssh/ssh.c
##########
@@ -140,11 +140,26 @@ static void guac_common_ssh_openssl_free_locks(int count)
{
int guac_common_ssh_init(guac_client* client) {
#ifdef LIBSSH2_USES_GCRYPT
- /* Init threadsafety in libgcrypt */
- gcry_control(GCRYCTL_SET_THREAD_CBS, &gcry_threads_pthread);
- if (!gcry_check_version(GCRYPT_VERSION)) {
- guac_client_log(client, GUAC_LOG_ERROR, "libgcrypt version mismatch.");
- return 1;
+
+ if (!gcry_control(GCRYCTL_INITIALIZATION_FINISHED_P)) {
+
+ /* Init threadsafety in libgcrypt */
+ gcry_control(GCRYCTL_SET_THREAD_CBS, &gcry_threads_pthread);
+
+ /* Initialize GCrypt */
+ if (!gcry_check_version(GCRYPT_VERSION)) {
+ guac_client_log(client, GUAC_LOG_ERROR, "libgcrypt version
mismatch.");
+ return 1;
+ }
+
+ /* Initialize secure memory space. */
+ gcry_control(GCRYCTL_SUSPEND_SECMEM_WARN);
+ gcry_control(GCRYCTL_INIT_SECMEM, 16384, 0);
+ gcry_control(GCRYCTL_RESUME_SECMEM_WARN);
Review comment:
I'm somewhat concerned about allocating secure memory unless we expect
that it will be used, as it is apparently a finite resource. From my read of
the initialization docs for gcrypt, this will not affect usage of memory in
general, but rather only explicit attempts to allocate secure memory using
gcrypt's functions for doing so. Looking through the libvncclient (and libssh2)
code, I'm so far not seeing any usage of secure memory.
----------------------------------------------------------------
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
For queries about this service, please contact Infrastructure at:
[email protected]
