From 2fac14da00e680f13c27262b6a623683b370f244 Mon Sep 17 00:00:00 2001
From: Christopher Dykes <cdykes@fb.com>
Date: Wed, 9 Nov 2016 14:31:44 -0800
Subject: [PATCH] Request lower privilege crypt context when generating random
 numbers

Summary: Without this flag, we were unintentionally requesting a context with access to private keys.

Reviewed By: yfeldblum

Differential Revision: D4155525

fbshipit-source-id: f33d18451b06e32b81d03bf6180efc1671cfa204
---
 folly/Random.cpp | 7 ++++++-
 1 file changed, 6 insertions(+), 1 deletion(-)

diff --git a/folly/Random.cpp b/folly/Random.cpp
index 8f5e3128..d4fb39b4 100644
--- a/folly/Random.cpp
+++ b/folly/Random.cpp
@@ -42,7 +42,12 @@ void readRandomDevice(void* data, size_t size) {
   static folly::once_flag flag;
   static HCRYPTPROV cryptoProv;
   folly::call_once(flag, [&] {
-    if (!CryptAcquireContext(&cryptoProv, nullptr, nullptr, PROV_RSA_FULL, 0)) {
+    if (!CryptAcquireContext(
+            &cryptoProv,
+            nullptr,
+            nullptr,
+            PROV_RSA_FULL,
+            CRYPT_VERIFYCONTEXT)) {
       if (GetLastError() == NTE_BAD_KEYSET) {
         // Mostly likely cause of this is that no key container
         // exists yet, so try to create one.
-- 
2.34.1