Hello, I just randomly stumbled upon this old mail http://www.winehq.org/pipermail/wine-patches/2005-May/017718.html and I found the FIXME comment about (lack of) cryptographic quality slightly worrying, so I had a quick look at the gitweb to see what the implementation would look like these days. Apparently this method still uses urandom but the FIXME comment has been removed (in http://source.winehq.org/git/wine.git/?a=commitdiff;h=59f2a3312e4c16876b69f9... )
Just thought I'd give it a heads-up, maybe this is still an issue that should at least be marked in the comments?
Just thought I'd give it a heads-up, maybe this is still an issue that should at least be marked in the comments?
I removed that comment because it's too strong. We have no idea what guarantees of randomness RtlGenRandom provides, so it's not clear there's anything to fix.
Feel free to send a patch. --Juan
On Wed, Jul 15, 2009 at 08:23:06 -0700, Juan Lang wrote:
Just thought I'd give it a heads-up, maybe this is still an issue that should at least be marked in the comments?
I removed that comment because it's too strong. We have no idea what guarantees of randomness RtlGenRandom provides, so it's not clear there's anything to fix.
Thanks for the quick response! Actually it seems that rand_s() uses RtlGenRandom[2], and MSDN claims the function can be used for cryptographically secure random numbers[1]. This is something I noticed by following the discussion about Firefox 3.5's slow startup times on Windows that RtlGenRandom seems to be used for just this purpose, or at least that's the impression I got after quickly reading through this: https://bugzilla.mozilla.org/show_bug.cgi?id=501605#c135
If win32 apps rely on this method for security, I figured maybe this would be reason enough to at least keep the FIXME in there (slightly worried about similarities to Debian's OpenSSL incident, although that was much more severe).
I'm not really a wine hacker so this may all be a false alarm, though I thought it would be best to at least mention this, was all.
References: [1] rand_s(): http://msdn.microsoft.com/en-us/library/sxtz2fa8%28VS.80%29.aspx [2] its use of RtlGenRandom: http://blogs.msdn.com/michael_howard/archive/2005/01/14/353379.aspx
Thanks for the quick response! Actually it seems that rand_s() uses RtlGenRandom[2], and MSDN claims the function can be used for cryptographically secure random numbers[1].
I don't see anything on that page that says that it can be used for cryptographically secure random numbers, not that we've defined that term. I do see that it generates pseudorandom numbers, which /dev/urandom does as well, and rand() notably does not.
If win32 apps rely on this method for security, I figured maybe this would be reason enough to at least keep the FIXME in there (slightly worried about similarities to Debian's OpenSSL incident, although that was much more severe).
This is different. Our RtlGenRandom generates pseudorandom numbers as well as /dev/urandom does. How random that is depends on the kernel you're running and how large the entropy pool is when we call into it.
[2] its use of RtlGenRandom: http://blogs.msdn.com/michael_howard/archive/2005/01/14/353379.aspx
You didn't reference this, but I'll comment on it anyway: The main point of this is that it's possible to get pseudorandom numbers using RtlGenRandom, and doing so doesn't require that you load crypt32. crypt32 is fairly large, so if all you want is a pseudorandom number, and nothing else to do with the Win32 crypto API, there's a less expensive way to get one. How strong that pseudorandom number is is unknown. --Juan
-
Juan Lang -
winehqlist@sub.noloop.net