Someone added code to CryptGenRandom so that it generates very bad random data (with <10 bits randomness in them).
Don't do that. It's a known security risk.
Read from /dev/urandom instead. If that does not succeed, just abort().
Linux and newer Solaris have /dev/urandom. I would guess the BSDs have it too.
Morten
On September 12, 2001 6:51 pm, Morten Welinder wrote:
Someone added code to CryptGenRandom so that it generates very bad random data (with <10 bits randomness in them).
Don't do that. It's a known security risk.
Read from /dev/urandom instead. If that does not succeed, just abort().
Linux and newer Solaris have /dev/urandom. I would guess the BSDs have it too.
Morten
So far all the functions in that file are just stubs. I would assume that CryptGenRandom is currently not being used (at least not much) if the rest of the API has not been implemented. If you read the comments inside that function, however, it is listing this situation as a known problem. I will likely fix this though in an upcoming patch to the CryptoAPI (patch 3 or 4 perhaps?) .
On another note, however, I was re-reading the CryptoAPI thread and I don't think that Vladimir Vukicevic's questions were really answered from September 3rd.
As to my progress, so far I have just creating stubs for the functions in advapi32.dll (patch 1 - crypt.c) and am currently working on wincrypt.h (patch 2). If you want to help on the API, you can. However, we should probably try to coordinate our efforts.
- Travis
_________________________________________________________ Do You Yahoo!? Get your free @yahoo.com address at http://mail.yahoo.com