From: Yedaya Katsman <yedaya.ka@gmail.com>
Date: Fri, 4 Apr 2025 14:04:21 +0000 (+0300)
Subject: rand: update comment on Curl_rand_bytes weak random
X-Git-Tag: curl-8_14_0~362
X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=80f9f6e59b1d642922d4f9de57b36a741bf60cd7;p=thirdparty%2Fcurl.git

rand: update comment on Curl_rand_bytes weak random

From what I understand both rustls and mbedTLS expose a strong random
function, so as long as you have a TLS library random will be strong.

Followup 89728451234a "vtls/rustls: support strong CSRNG data"
Followup a90a5bccd47b "mbedtls: implement CTR-DRBG and HAVEGE random generators"

Closes #16965
---

diff --git a/lib/rand.c b/lib/rand.c
index 8d55e260a4..bf81af0948 100644
--- a/lib/rand.c
+++ b/lib/rand.c
@@ -191,12 +191,11 @@ static CURLcode randit(struct Curl_easy *data, unsigned int *rnd,
  * Curl_rand() stores 'num' number of random unsigned characters in the buffer
  * 'rnd' points to.
  *
- * If libcurl is built without TLS support or with a TLS backend that lacks a
- * proper random API (Rustls or mbedTLS), this function will use "weak"
- * random.
+ * If libcurl is built without TLS support or arc4random, this function will
+ * use "weak" random.
  *
- * When built *with* TLS support and a backend that offers strong random, it
- * will return error if it cannot provide strong random values.
+ * When built *with* TLS support, it will return error if it cannot provide
+ * strong random values.
  *
  * NOTE: 'data' may be passed in as NULL when coming from external API without
  * easy handle!