Hi!

On Jun 3, 2014 11:00 PM, "Steve Holme" <steve_holme_at_hotmail.com> wrote:
>
> On Tue, 3 Jun 2014, Daniel Stenberg wrote:
>
> > In other words, only libcurl built to use one of DarwinSSL,
> > GnuTLS, NSS or OpenSSL get really strong random for
> > SASL/Digest/forms etc that want good randomness.
>
> I've just been having a hunt around to see what Windows provides for use
in
> or alongside SChannel.
>
> It seems that CryptGenRandom() is available in the Cryptograph API but
will
> mean another dependency on (LoadLibrary call for) advapi32.dll (in
addition
> to the current security.dll dependency) [1] However, I'm not sure if it is
> available pre Windows 2000.

It is not available publically. It may however be available via rtl api
call. I have to check.

> Alternatively there is rand_s() in the CRT [2] but most of the _s
functions
> were only available in Visual Studio 2005 onwards if memory serves me
> correctly...

I would not use them, at all, for any RNG operations related to SSL or
sessions.

> ...and from what I read [3] I believe rand_s() uses RtlGenRandom()
> internally and requires Windows XP / Server 2003 or later [4]

+desktop mode. As it will gather entropy from desktop events as well.

> I'm not sure on what our take is for the minimum supported Windows version
> as I know we have some code in curl_sspi.c that detects older versions and
> loads secur32.dll rather than security.dll so some of this may be an
issue??

I think it is time to drop windows 2000. Maybe even xp at some point. But
this function is available for xp, so it is not a issue at this point.

Cheers,
Pierre

-------------------------------------------------------------------
List admin: http://cool.haxx.se/list/listinfo/curl-library
Etiquette: http://curl.haxx.se/mail/etiquette.html
Received on 2014-06-04