question about RtlGenRandom (SystemFunction036) and urandom

winehqlist at sub.noloop.net winehqlist at sub.noloop.net
Wed Jul 15 10:46:50 CDT 2009


On Wed, Jul 15, 2009 at 08:23:06 -0700, Juan Lang wrote:
> > Just thought I'd give it a heads-up, maybe this is still an issue
> > that should at least be marked in the comments?
> 
> I removed that comment because it's too strong.  We have no idea what
> guarantees of randomness RtlGenRandom provides, so it's not clear
> there's anything to fix.

Thanks for the quick response! Actually it seems that rand_s()
uses RtlGenRandom[2], and MSDN claims the function can be used for
cryptographically secure random numbers[1]. This is something I noticed
by following the discussion about Firefox 3.5's slow startup times on
Windows that RtlGenRandom seems to be used for just this purpose, or 
at least that's the impression I got after quickly reading through this:
https://bugzilla.mozilla.org/show_bug.cgi?id=501605#c135

If win32 apps rely on this method for security, I figured maybe this 
would be reason enough to at least keep the FIXME in there (slightly
worried about similarities to Debian's OpenSSL incident, although that
was much more severe).

I'm not really a wine hacker so this may all be a false alarm, though
I thought it would be best to at least mention this, was all.

References: 
  [1] rand_s(): 
    http://msdn.microsoft.com/en-us/library/sxtz2fa8%28VS.80%29.aspx
  [2] its use of RtlGenRandom: 
    http://blogs.msdn.com/michael_howard/archive/2005/01/14/353379.aspx





More information about the wine-devel mailing list