cURL / Mailing Lists / curl-library / Single Mail

curl-library

Re: weak randomness with some TLS backends

From: Chris Ghormley <chris_at_set-point.com>
Date: Wed, 04 Jun 2014 12:29:05 -0700

On 6/3/2014 13:02, Daniel Stenberg wrote:
> Friends!
>
> I just noticed that we only provide a strong random function for four of our
> ten TLS backends:
>
> $ grep "define have_curlssl_random" vtls/*.h
> vtls/curl_darwinssl.h:#define have_curlssl_random 1
> vtls/gtls.h:#define have_curlssl_random 1
> vtls/nssg.h:#define have_curlssl_random 1
> vtls/openssl.h:#define have_curlssl_random 1
>
> In other words, only libcurl built to use one of DarwinSSL, GnuTLS, NSS or
> OpenSSL get really strong random for SASL/Digest/forms etc that want good
> randomness.
>
> I think this is mostly an oversight with the other backends and I'm leaning
> towards making this cause a build failure until we fix it for all backends to
> make it really notable.
>
> Please check out if you can help us make your favorite backend do the right
> thing!
>
> -- / daniel.haxx.se
Here is a patch for axTLS. I don't submit patches very often, so I
apologize if I'm doing it wrong.
This backend doesn't seem to do anything spectacular for
randomness...I'm not an expert.
But if it does/did I think this is the right way to call it.

I performed limited testing to make sure my product talks to my servers
(nginx and lighttpd with OpenSSL).

--
Chris
diff --git a/lib/vtls/axtls.c b/lib/vtls/axtls.c
index 36cb7ad..3aec2a9 100644
--- a/lib/vtls/axtls.c
+++ b/lib/vtls/axtls.c
@@ -664,4 +664,23 @@ size_t Curl_axtls_version(char *buffer, size_t size)
   return snprintf(buffer, size, "axTLS/%s", ssl_version());
 }
 
+void Curl_axtls_random(struct SessionHandle *data, unsigned char *entropy,
+                      size_t length)
+{
+  get_random(curlx_uztosi(length), data);
+}
+
+void Curl_axtls_md5sum(unsigned char *tmp, /* input */
+                      size_t tmplen,
+                      unsigned char *md5sum /* output */,
+                      size_t unused)
+{
+  MD5_CTX MD5pw;
+  (void)unused;
+  MD5_Init(&MD5pw);
+  MD5_Update(&MD5pw, tmp, tmplen);
+  MD5_Final(md5sum, &MD5pw);
+}
+
+
 #endif /* USE_AXTLS */
diff --git a/lib/vtls/axtls.h b/lib/vtls/axtls.h
index db91365..28895eb 100644
--- a/lib/vtls/axtls.h
+++ b/lib/vtls/axtls.h
@@ -47,6 +47,10 @@ size_t Curl_axtls_version(char *buffer, size_t size);
 int Curl_axtls_shutdown(struct connectdata *conn, int sockindex);
 int Curl_axtls_check_cxn(struct connectdata *conn);
 
+/* this backend provides these functions: */
+#define have_curlssl_random 1
+#define have_curlssl_md5sum 1
+
 /* API setup for axTLS */
 #define curlssl_init Curl_axtls_init
 #define curlssl_cleanup Curl_axtls_cleanup
@@ -62,6 +66,8 @@ int Curl_axtls_check_cxn(struct connectdata *conn);
 #define curlssl_version Curl_axtls_version
 #define curlssl_check_cxn(x) Curl_axtls_check_cxn(x)
 #define curlssl_data_pending(x,y) (x=x, y=y, 0)
+#define curlssl_random(x,y,z) Curl_axtls_random(x,y,z)
+#define curlssl_md5sum(a,b,c,d) Curl_axtls_md5sum(a,b,c,d)
 
 #endif /* USE_AXTLS */
 #endif /* HEADER_CURL_AXTLS_H */
-------------------------------------------------------------------
List admin: http://cool.haxx.se/list/listinfo/curl-library
Etiquette:  http://curl.haxx.se/mail/etiquette.html
Received on 2014-06-04