2009/7/18 Dave Korn <dave.korn.cyg...@googlemail.com>:
> Kai Tietz wrote:
>
>> * gnu/java/security/jce/prng/natVMSecureRandomWin32.cc: Implementation
>> for native win32.
>>
>> Tested for x86 and x64 mingw targets. Ok for apply?
>
> + for (a = 0; a < length; a++, count++)
> + *bytes++= (jbyte) rand ();
>
> Surely not, the standard C library rand() function is completely unsuitable
> for security purposes. It should use the win32 crypto api to get real
> high-quality random data I think.
>
> cheers,
> DaveK
>
>
Yes, I agree to this as I said in the patch post. Can we assume that
any win32 target has a working wincrypt.h file?
I just suggested this patch, to have at least an implementation here
for win32 for further improvement (Btw I missed in my initial patch to
include explicit <stdlib.h> here, too).
I am just running through libjava for an initial port for x64 windows.
There are a lot of assumptions about sizeof (long) == sizeof (void*),
but the worse thing I see is the casting of HANDLE values to jint. For
x86 this is fine, but for x64 this can lead to serious troubles.
Cheers,
Kai
--
| (\_/) This is Bunny. Copy and paste
| (='.'=) Bunny into your signature to help
| (")_(") him gain world domination
