cURL / Mailing Lists / curl-library / Single Mail

curl-library

RE: weak randomness with some TLS backends

From: Steve Holme <steve_holme_at_hotmail.com>
Date: Tue, 3 Jun 2014 21:56:11 +0100

On Tue, 3 Jun 2014, Daniel Stenberg wrote:

> In other words, only libcurl built to use one of DarwinSSL,
> GnuTLS, NSS or OpenSSL get really strong random for
> SASL/Digest/forms etc that want good randomness.

I've just been having a hunt around to see what Windows provides for use in
or alongside SChannel.

It seems that CryptGenRandom() is available in the Cryptograph API but will
mean another dependency on (LoadLibrary call for) advapi32.dll (in addition
to the current security.dll dependency) [1] However, I'm not sure if it is
available pre Windows 2000.

Alternatively there is rand_s() in the CRT [2] but most of the _s functions
were only available in Visual Studio 2005 onwards if memory serves me
correctly...

...and from what I read [3] I believe rand_s() uses RtlGenRandom()
internally and requires Windows XP / Server 2003 or later [4]

I'm not sure on what our take is for the minimum supported Windows version
as I know we have some code in curl_sspi.c that detects older versions and
loads secur32.dll rather than security.dll so some of this may be an issue??

Kind Regards

Steve

[1]
http://msdn.microsoft.com/en-us/library/windows/desktop/aa379942(v=vs.85).as
px
[2] http://msdn.microsoft.com/en-us/library/sxtz2fa8.aspx
[3] http://en.wikipedia.org/wiki/CryptGenRandom
[4]
http://msdn.microsoft.com/en-us/library/windows/desktop/aa387694(v=vs.85).as
px

-------------------------------------------------------------------
List admin: http://cool.haxx.se/list/listinfo/curl-library
Etiquette: http://curl.haxx.se/mail/etiquette.html
Received on 2014-06-03