CryptGenRandom is available on all Windows back to Windows 95. RtlGenRandom is only available since XP, however CryptGenRandom makes use of it. Presumably RtlGenRandom has always been around, it's just never been documented or made generally available until now.
Why is there a reluctance to deal with CryptoAPI? I've used CryptGenRandom in my own code and never had a problem with it. Regards, Steven -----Original Message----- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Jack Lloyd Sent: Friday, 2 December 2005 6:04 AM To: openssl-dev@openssl.org Subject: Re: Alternate RAND_poll for XP/2003 Server/Vista On Fri, Dec 02, 2005 at 12:45:44AM +1100, Steven Reddie wrote: > That's an interesting blog article. The 2nd comment is by the author > and lists the entropy sources. I recall there was discussion on this > list quite some time ago where it was stated that OpenSSL wouldn't use > only the CryptoAPI random number generator since Microsoft hadn't > provided details of how the entropy was gathered. Perhaps the > information in that post provides enough detail to warrant dropping > all of the heap walking guff that has been known to trip up OpenSSL on occasion. That wouldn't work if you still wish to support Windows systems prior to XP/2003 - and I know for a fact that people are still deploying new code on NT4 right now, so that decision might be unpopular. That's not to say it is not the right decision (personally I'd love to forget supporting Windows < XP/2K3, just as I don't have to make sure my code works on RedHat 5.0 or HP-UX 9), but certainly it will cause complaints. Also, in theory, CryptGenRandom can be better than the new function, since, *if* you have a alternate crypto provider (such as one that pulls in entropy from the old i810 motherboard RNG, or an HSM, or whatever) you might get a better entropy source. Now, the question is if that benefit is worth the overhead and mess of dealing with CryptoAPI... I would tend to say it is not, because so few people will actually have such special hardware/providers installed. But it is worth considering. -Jack ______________________________________________________________________ OpenSSL Project http://www.openssl.org Development Mailing List openssl-dev@openssl.org Automated List Manager [EMAIL PROTECTED] ______________________________________________________________________ OpenSSL Project http://www.openssl.org Development Mailing List openssl-dev@openssl.org Automated List Manager [EMAIL PROTECTED]
