On Fri, Dec 02, 2005 at 12:45:44AM +1100, Steven Reddie wrote: > That's an interesting blog article. The 2nd comment is by the author and > lists the entropy sources. I recall there was discussion on this list quite > some time ago where it was stated that OpenSSL wouldn't use only the > CryptoAPI random number generator since Microsoft hadn't provided details of > how the entropy was gathered. Perhaps the information in that post provides > enough detail to warrant dropping all of the heap walking guff that has been > known to trip up OpenSSL on occasion.
That wouldn't work if you still wish to support Windows systems prior to XP/2003 - and I know for a fact that people are still deploying new code on NT4 right now, so that decision might be unpopular. That's not to say it is not the right decision (personally I'd love to forget supporting Windows < XP/2K3, just as I don't have to make sure my code works on RedHat 5.0 or HP-UX 9), but certainly it will cause complaints. Also, in theory, CryptGenRandom can be better than the new function, since, *if* you have a alternate crypto provider (such as one that pulls in entropy from the old i810 motherboard RNG, or an HSM, or whatever) you might get a better entropy source. Now, the question is if that benefit is worth the overhead and mess of dealing with CryptoAPI... I would tend to say it is not, because so few people will actually have such special hardware/providers installed. But it is worth considering. -Jack ______________________________________________________________________ OpenSSL Project http://www.openssl.org Development Mailing List [email protected] Automated List Manager [EMAIL PROTECTED]
