Our mbedTLS backend provides no good random!
Date: Sat, 12 Nov 2016 16:47:12 +0100 (CET)
This is both an alert and a request for help at the same time.
First: internally when libcurl wants a random value for formdata/ntlm/digest
etc, it uses the function that the underlying TLS backend provides in order to
get as strong random as possible. Of course, building libcurl completely
without TLS takes that away and then users are left with weaker random and as
a consequence weaker security properties. But then I suppose that's not a
surprise if you opt to do it without TLS.
Now, mbedTLS and its precursor PolarSSL are two backends that don't have any
function setup for the vtls API to provide random data to libcurl. This makes
libcurl use an as weak random for mbedTLS as it does when built completely
without TLS. It would be good to get this fixed, as I believe most people who
opt to use mbedTLS still would like to get the best possible security level.
My attempt to implement such a function for the mbedtls backend can be found
in the attached patch. IT DOES NOT WORK. I'll of course appreciate if someone
with greater insights and understanding of mbedTLS would take a look at this
problem and send us a working fix instead.
-- / daniel.haxx.se
- text/x-diff attachment: 0001-mbedtls-provide-random-to-libcurl-via-the-vtls-API.patch