2009/7/18 Dave Korn <dave.korn.cyg...@googlemail.com>:
> Kai Tietz wrote:
>
>>       * gnu/java/security/jce/prng/natVMSecureRandomWin32.cc: Implementation
>>       for native win32.
>>
>> Tested for x86 and x64 mingw targets. Ok for apply?
>
> +  for (a = 0; a < length; a++, count++)
> +   *bytes++= (jbyte) rand ();
>
>  Surely not, the standard C library rand() function is completely unsuitable
> for security purposes.  It should use the win32 crypto api to get real
> high-quality random data I think.
>
>    cheers,
>      DaveK
>
>

Yes, I agree to this as I said in the patch post. Can we assume that
any win32 target has a working wincrypt.h file?
I just suggested this patch, to have at least an implementation here
for win32 for further improvement (Btw I missed in my initial patch to
include explicit <stdlib.h> here, too).
I am just running through libjava for an initial port for x64 windows.
There are a lot of assumptions about sizeof (long) == sizeof (void*),
but the worse thing I see is the casting of HANDLE values to jint. For
x86 this is fine, but for x64 this can lead to serious troubles.

Cheers,
Kai

-- 
|  (\_/) This is Bunny. Copy and paste
| (='.'=) Bunny into your signature to help
| (")_(") him gain world domination

Reply via email to