Buy commercial curl support from WolfSSL. We help you work
out your issues, debug your libcurl applications, use the API, port to new
platforms, add new features and more. With a team lead by the curl founder
himself.
Re: [Question] Forcing libcurl to use hardware randomization
- Contemporary messages sorted: [ by date ] [ by thread ] [ by subject ] [ by author ] [ by messages with attachments ]
From: Cristian Rodríguez via curl-library <curl-library_at_lists.haxx.se>
Date: Mon, 6 Mar 2023 10:07:58 -0300
On Sun, Mar 5, 2023 at 1:33 PM Randall via curl-library
<curl-library_at_lists.haxx.se> wrote:
>
> Hi Curl,
>
> I have a curl built with OpenSSL. The built of OpenSSL uses hardware
> randomization on the platform using _rdrand64(). When I use libcurl,
> typically through git, I end up with an open to PRNGD, which is not
> desirable. I'm wondering whether there is a configuration setting that I am
> missing from curl to force this, or whether I should contribute code to
> access the x86 hardware randomizer directly. There is no /dev/urandom or
> /dev/random on this platform, aside from it being POSIX compliant. Curl is
> configured as follows:
>
> CFLAGS="-c99" CPPFLAGS="-D_XOPEN_SOURCE_EXTENDED=1 -WIEEE_float
> -I/usr/local/openssl/include" LDFLAGS="-L/usr/local/lib" ./configure
> --with-ssl=/usr/local --with-ca-path=/usr/local/ssl/certs --disable-pthreads
> --disable-threaded-resolver --enable-ipv6
>
> Thanks in advance,
> Randall
>
> --
> Brief whoami: NonStop&UNIX developer since approximately
> UNIX(421664400)
> NonStop(211288444200000000)
> -- In real life, I talk too much.
I strongly suggest you against this approach, There are buggy CPUs
with buggy rdrand, there are a number of pitfalls.
Most current operating systems have either getentropy, getrandom,
arc4random or a documentred platform-specific RNG. USE THAT INSTEAD.
If there is really only rdrand (I really doubt that) on this exotic
system, google "fast key erasure rng AES-NI"
something like https://github.com/jedisct1/aes-stream should do it.
Date: Mon, 6 Mar 2023 10:07:58 -0300
On Sun, Mar 5, 2023 at 1:33 PM Randall via curl-library
<curl-library_at_lists.haxx.se> wrote:
>
> Hi Curl,
>
> I have a curl built with OpenSSL. The built of OpenSSL uses hardware
> randomization on the platform using _rdrand64(). When I use libcurl,
> typically through git, I end up with an open to PRNGD, which is not
> desirable. I'm wondering whether there is a configuration setting that I am
> missing from curl to force this, or whether I should contribute code to
> access the x86 hardware randomizer directly. There is no /dev/urandom or
> /dev/random on this platform, aside from it being POSIX compliant. Curl is
> configured as follows:
>
> CFLAGS="-c99" CPPFLAGS="-D_XOPEN_SOURCE_EXTENDED=1 -WIEEE_float
> -I/usr/local/openssl/include" LDFLAGS="-L/usr/local/lib" ./configure
> --with-ssl=/usr/local --with-ca-path=/usr/local/ssl/certs --disable-pthreads
> --disable-threaded-resolver --enable-ipv6
>
> Thanks in advance,
> Randall
>
> --
> Brief whoami: NonStop&UNIX developer since approximately
> UNIX(421664400)
> NonStop(211288444200000000)
> -- In real life, I talk too much.
I strongly suggest you against this approach, There are buggy CPUs
with buggy rdrand, there are a number of pitfalls.
Most current operating systems have either getentropy, getrandom,
arc4random or a documentred platform-specific RNG. USE THAT INSTEAD.
If there is really only rdrand (I really doubt that) on this exotic
system, google "fast key erasure rng AES-NI"
something like https://github.com/jedisct1/aes-stream should do it.
-- Unsubscribe: https://lists.haxx.se/mailman/listinfo/curl-library Etiquette: https://curl.se/mail/etiquette.htmlReceived on 2023-03-06