On Wed, 31 May 2006, Michele Bini wrote:

>> While it can be improved to produce a better challange,
>
> Well, I think it is necessary: without it the doors are wide open for a
> dictionary attack and you use NTLM2 exactly to gain more strength against
> those.

Yeps, and this is also one reason for me posting the patch here first to get
opinions and improvements. As I understood it, the Firefox code doesn't do it
a lot better as this was implemented with the help of using that and comparing
HTTP traces.

> I think openssl can access the system dependent random number generator but
> certainly I don't know the details. Moreover it just seems there is a trend
> in not making curl depend on openssl.

Yes, we're trying to make libcurl mostly SSL-layer agnostic. That said, we
could easily add a random function to the internal SSL API to allow the
underlying lib to help us out with that...

(The NTLM code already depends on OpenSSL because it has the required crypto
functions easily available.)

Personally, I have no means of testing this code so I'd rather not work on
these changes myself since I'd so easily break them.

-- 
  Commercial curl and libcurl Technical Support: http://haxx.se/curl.html