cURL / Mailing Lists / curl-library / Single Mail

curl-library

Re: Flag to bail out if not enough entropy?

From: Florian Weimer <fw_at_deneb.enyo.de>
Date: Tue, 27 Sep 2016 17:30:48 +0200

* Daniel Stenberg:

> On Tue, 27 Sep 2016, Florian Weimer wrote:
>
>>> I'm not sure this particular loop is as stupid as the comment
>>> implies. RAND_bytes() is supposed to give crypto safe random and
>>> according to https://wiki.openssl.org/index.php/Random_Numbers the
>>> function will even init the random generator itself if it wasn't
>>> done before.
>>
>> RAND_bytes can fail for various reasons, including if the generator
>> could not be seeded. Details depend on the engine backend OpenSSL
>> uses.
>
> Ah right, so the loop should check the return codes properly and be
> able to return a failure back to its parent if they fail?
>
> Any chance (anyone of) you have a patch to suggest for this?

Well, Török Edwin is right in the sense that modern OpenSSL should
take care of this automatically. If there is still a platform where
this is needed, we'd have to look at what it provides in terms of
randomness sources, how we can properly synchronize access to the
randomness file, and how we can prevent duplicate streams of random
bytes reliably (which is difficult if there is no entropy source at
all in the system).

-------------------------------------------------------------------
List admin: https://cool.haxx.se/list/listinfo/curl-library
Etiquette: https://curl.haxx.se/mail/etiquette.html
Received on 2016-09-27