cURL / Mailing Lists / curl-library / Single Mail

curl-library

Re: Additional relevant changes for PolarSSL 1.1.0

From: Paul Bakker <paul_curl_at_brainspark.nl>
Date: Fri, 27 Jan 2012 10:26:40 +0100

On 20-1-2012 7:07, curl-library-request_at_cool.haxx.se wrote:
> On Thu, 19 Jan 2012, Paul Bakker wrote:
>
> Thanks for pointing these things out!
>
>> > I would like to point to
>> > http://polarssl.org/trac/wiki/SecurityAdvisory201102
>> >
>> > My advice is to move from HAVEGE to the CTR_DRBG where possible.
> Ugha. So why rename the function at all? Why not simply remove it to prevent
> people (like us) who don't pay attention to keep using an unsafe function?
Because it's still useful in a number of scenarios. HAVEGE is even still
used inside the entropy pool for possible entropy generation from the
timer, when available.
> Any chance I can lure you into writing a patch that makes it use CTR_DRBG
> instead?
I'm very busy at the moment, but I will do so as soon as possible.
>> > In addition, I see that error codes are reported in a debug function.
>> >
>> > PolarSSL now includes error.c which has error_strerror() for translating
>> > error codes to human-readable format.
> I'll save those ones for the people who actually are using libcurl with
> polarssl to fix...
This as well is a very simple fix. Will add that as well.

Paul
-------------------------------------------------------------------
List admin: http://cool.haxx.se/list/listinfo/curl-library
Etiquette: http://curl.haxx.se/mail/etiquette.html
Received on 2012-01-27