curl / Mailing Lists / curl-library / Single Mail
Buy commercial curl support from WolfSSL. We help you work out your issues, debug your libcurl applications, use the API, port to new platforms, add new features and more. With a team lead by the curl founder himself.

Re: [Question] Forcing libcurl to use hardware randomization

From: Cristian Rodríguez via curl-library <curl-library_at_lists.haxx.se>
Date: Wed, 8 Mar 2023 10:02:49 -0300

On Mon, Mar 6, 2023 at 7:30 PM Daniel Stenberg <daniel_at_haxx.se> wrote:
>
> On Mon, 6 Mar 2023, rsbecker_at_nexbridge.com wrote:
>
> > So if OpenSSL RAND_bytes() goes to the HRNG by default, will curl?
>
> curl calls OpenSSL's RAND_bytes(), yes.
>
> I don't know how that works or what exact mechanism it will use beyond what
> they document. Their man page does not mention hardware support:
>
> https://www.openssl.org/docs/man3.0/man3/RAND_bytes.html

It depends on which openSSL version. versions < 1.1.1 use a SHA1-based
RNG for which rdrand is considered as a seed material if available.
Current versions have a number of RNG providers so you have a bigger
arsenal to shoot yourself in the foot if you wish so, defaults to NIST
 AES-CTR DRBG. RDRAND was last time I checked used as seed if
available.
Do not use this on Linux, call getentropy or getrandom instead, only
the kernel has all the relevant information to make a decision about
when to discard the RNG state and start over. Currently this is
impossible to do in userspace (the kernel does not export such
information)
-- 
Unsubscribe: https://lists.haxx.se/mailman/listinfo/curl-library
Etiquette:   https://curl.se/mail/etiquette.html
Received on 2023-03-08