Impropper initialization of RNG on Windows #8
Conversation
OpenSSL, the integrated random number generator is not initializated with enought entropy. This code will add entropy using the system timers https://en.wikipedia.org/wiki/Clock_drift#Random_number_generators
|
Thanks for you interest. Unfortunately using timers like that does not add enough entropy to meaningfully enhance security. Werner: Is using ZRTPCPP on Windows without OpenSSL even supported? If so, is he correct that it currently runs without any entropy source? |
|
Actually not tested or verified for Windows. The random initialization has a comment that On the other hand we don't rely on the Systems random generator only. We add entropy Werner Am 16.09.2013 16:36, schrieb traviscross:
Werner Dittmann [email protected] |
|
If the random number generator is not to be used on the Windows platform, then please consider adding an compiler time error message into the code. #if !(defined(_WIN32) || defined(_WIN64))
int rnd = open("/dev/urandom", O_RDONLY);
if (rnd >= 0) {
num = read(rnd, seed, length);
close(rnd);
}
else
return num;
#else
#error This random number generator can not be used on Windows platform without seeding!
#endif |
Windows platform. Throw an compiler error message for Windows platform.
Remove the previous seeding for Windows platform and add compiler error. Conflicts: cryptcommon/ZrtpRandom.cpp
In the original random number generator I was able to reproduce the same random numbers
on Windows in Debug mode,
On Windows platform when using GNU ZRTP library in standalone, without
OpenSSL, the integrated random number generator is not initializated
with enought entropy. This code will add entropy using the system timers
https://en.wikipedia.org/wiki/Clock_drift#Random_number_generators