On Mon, Apr 24, 2017 at 02:52:30PM +0100, Peter Maydell wrote: > On 24 April 2017 at 14:36, Daniel P. Berrange <berra...@redhat.com> wrote: > > FYI, both gnutls and openssl use these CryptAcquireContext/CryptGenRandom > > methods, so I'd prefer to stick with that. > > They probably need the full crypto API anyway, though... > > > It seems we merely need to set CRYPT_SILENT in the flags to prevent any > > chance of interactive prompts. > > > > https://msdn.microsoft.com/en-us/library/windows/desktop/aa379886(v=vs.85).aspx > > How about CRYPT_VERIFYCONTEXT? The docs say "in most cases this flag > should be set". > > This kind of discussion puts me off the Crypt* APIs though -- they're > a complicated API that can easily be misused. "Please just fill > this buffer with randomness" is a simple API that's hard to call > wrongly...
This is the extent of gnutls's code in this area https://gitlab.com/gnutls/gnutls/blob/master/lib/nettle/sysrng-windows.c Our API has the same usage scenario as this, hence my preference to mirror what gnutls & other crypto libraries are using. Regards, Daniel -- |: https://berrange.com -o- https://www.flickr.com/photos/dberrange :| |: https://libvirt.org -o- https://fstop138.berrange.com :| |: https://entangle-photo.org -o- https://www.instagram.com/dberrange :|
