cURL / Mailing Lists / curl-library / Single Mail

curl-library

Re: Flag to bail out if not enough entropy?

From: Török Edwin <edwin+ml-curl_at_etorok.net>
Date: Tue, 27 Sep 2016 18:26:49 +0300

On 2016-09-27 16:27, Daniel Stenberg wrote:
> On Mon, 26 Sep 2016, Török Edwin wrote:
>
>> /* If we get here, it means we need to seed the PRNG using a "silly"
>> approach! */
>> do {
>> unsigned char randb[64];
>> int len = sizeof(randb);
>> RAND_bytes(randb, len);
>> RAND_add(randb, len, (len >> 1));
>> } while(!RAND_status());
>
> I'm not sure this particular loop is as stupid as the comment implies. RAND_bytes() is supposed to give crypto safe random and according to https://wiki.openssl.org/index.php/Random_Numbers the function will even init the random generator itself if it wasn't done before.
>
>> I'd prefer to get an error if (lib)curl cannot seed OpenSSL with enough entropy (AFAICT OpenSSL wants at least 256 bits): something is seriously wrong if it can't (e.g. running curl in a chroot without mounting /dev), and I'd rather want to know about it and fix it, than establish a possibly insecure HTTPS connection (the PRNG might be used to generate ephemeral keys).
>>
>> Could there be a flag added to libcurl that would cause it to return an error in this case?
>
> Sure. But I'm not sure when that would happen (in a fashion that we can test) and how you can tell in that function?

With 'OpenSSL 1.0.2h-fips 3 May 2016' and 'chmod 0660 /dev/urandom; chmod 0660 /dev/random;' curl loops infinitely in that function.
This might be dependant on the OpenSSL version, but apparently RAND_bytes consumes more entropy than RAND_add adds back, so its not as bad as I initially thought.
Still I'd prefer an error message to an infinite loop :)

Best regards,

-- 
Edwin Török | Co-founder and Lead Developer
Skylable open-source object storage: reliable, fast, secure
http://www.skylable.com
-------------------------------------------------------------------
List admin: https://cool.haxx.se/list/listinfo/curl-library
Etiquette:  https://curl.haxx.se/mail/etiquette.html
Received on 2016-09-27