|

»

GnuPG - Libgcrypt - Dev

gcrypt initialization

View: New views

3 Messages — Rating Filter: Alert me

	gcrypt initialization by Daniel Kahn Gillmor-7 :: Rate this Message: Reply to Author \| View Threaded \| Show Only this Message hey gcrypt folks-- I'm trying to understand the various phases of gcrypt initialization. I've read the docs, but in some places they appear to be self-contradictory about what calls are specifically allowed when. As i understand it, the required order is: A) gcry_control(GCRYCTL_SET_THREAD_CBS or GCRYCTL_FORCE_FIPS_MODE) B) gcry_check_version() C) gcry_control(<other commands>,...) D) gcry_control(GCRYCTL_INITIALIZATION_FINISHED) E) <actual use of the library> When a gcry_control command says that it can "only be used during initialization time" (e.g. GCRYCTL_ENABLE_M_GUARD), i believe that means that it must be invoked during phase C, but other gcry_control invocations can be invoked at any time (including after the library has actually been used). Is this correct? What am i missing? Regards, --dkg _______________________________________________ Gcrypt-devel mailing list Gcrypt-devel@... http://lists.gnupg.org/mailman/listinfo/gcrypt-devel signature.asc (909 bytes) Download Attachment
	Re: gcrypt initialization by Werner Koch :: Rate this Message: Reply to Author \| View Threaded \| Show Only this Message On Mon, 26 Oct 2009 23:14, dkg@... said: > A) gcry_control(GCRYCTL_SET_THREAD_CBS or GCRYCTL_FORCE_FIPS_MODE) The first is merely a handmade constructor and as such pretty special. The second is: @item GCRYCTL_FORCE_FIPS_MODE; Arguments: none Running this command puts the library into FIPS mode. If the library is already in FIPS mode, a self-test is triggered and thus the library will be put into operational state. This command may be used before a call to gcry_check_version and that is actually the recommended way to let an [...] and states that it may be used before gcry_check_version (between A and B) to force gcrypt into fips mode. > When a gcry_control command says that it can "only be used during > initialization time" (e.g. GCRYCTL_ENABLE_M_GUARD), i believe that Okay, the docs are not clear. I changed it to say "before gcry_check_version". Let me know if you find other unclear documentation. Shalom-Salam, Werner -- Die Gedanken sind frei. Ausnahmen regelt ein Bundesgesetz. _______________________________________________ Gcrypt-devel mailing list Gcrypt-devel@... http://lists.gnupg.org/mailman/listinfo/gcrypt-devel
	Re: gcrypt initialization by Daniel Kahn Gillmor-7 :: Rate this Message: Reply to Author \| View Threaded \| Show Only this Message On 10/28/2009 09:35 AM, Werner Koch wrote: > Okay, the docs are not clear. I changed it to say "before > gcry_check_version". Thanks, Werner. > Let me know if you find other unclear documentation. line 523 of gcrypt.texi appears to claim that the full set of functionality allowed before gcry_check_version is GCRYCTL_SET_THREAD_CBS. Maybe it should mention GCRYCTL_FORCE_FIPS_MODE and GCRYCTL_ENABLE_M_GUARD and GCRYCTL_ANY_INITIALIZATION_P (and others?) Alternately, if there really are valid phases of initialization, maybe it'd be useful to define them (with more semantically-meaningful names than my earlier "A,B,C"), and indicate which commands belong to which phase? Another thing that might be useful to document is what the relationship is between the other gcry_control() calls and GCRYCTL_INITIALIZATION_FINISHED -- at the moment, it's unclear what the consequences of GCRYCTL_INITIALIZATION_FINISHED are, other than GCRYCTL_INITIALIZATION_FINISHED_P returning a different value, and the library appears to work without that call. So why should a user bother to issue GCRYCTL_INITIALIZATION_FINISHED? Regards, --dkg _______________________________________________ Gcrypt-devel mailing list Gcrypt-devel@... http://lists.gnupg.org/mailman/listinfo/gcrypt-devel signature.asc (909 bytes) Download Attachment