Impropper initialization of RNG on Windows

[fedor-brunner]

In the original random number generator I was able to reproduce the same random numbers
on Windows in Debug mode,

On Windows platform when using GNU ZRTP library in standalone, without
OpenSSL, the integrated random number generator is not initializated
with enought entropy. This code will add entropy using the system timers

https://en.wikipedia.org/wiki/Clock_drift#Random_number_generators

[traviscross]

Thanks for you interest. Unfortunately using timers like that does not add enough entropy to meaningfully enhance security.

Werner: Is using ZRTPCPP on Windows without OpenSSL even supported? If so, is he correct that it currently runs without any entropy source?

[wernerd]

Actually not tested or verified for Windows. The random initialization has a comment that
explicitly states that Windows is not supported.

On the other hand we don't rely on the Systems random generator only. We add entropy
during the calls, thus the client calls the add_entropy with some data. This enhances
entropy in general.

Werner

Am 16.09.2013 16:36, schrieb traviscross:

Thanks for you interest. Unfortunately using timers like that does not add enough entropy to meaningfully enhance security.

Werner: Is using ZRTPCPP on Windows without OpenSSL even supported? If so, is he correct that it currently runs without any entropy source?

---

Reply to this email directly or view it on GitHub:
#8 (comment)

---

Werner Dittmann Werner.Dittmann@t-online.de
Tel +49 173 44 37 659
PGP key: 82EF5E8B

[fedor-brunner]

If the random number generator is not to be used on the Windows platform, then please consider adding an compiler time error message into the code.

#if !(defined(_WIN32) || defined(_WIN64))
    int rnd = open("/dev/urandom", O_RDONLY);
    if (rnd >= 0) {
        num = read(rnd, seed, length);
        close(rnd);
    }
    else
        return num;
#else
#error This random number generator can not be used on Windows platform without seeding!
#endif