bug#22202: 24.5; SECURITY ISSUE -- Emacs Server vulnerable to random number generator attack on Windows systems

[Richard Copley <rcopley@gmail.com>]

> Can you audit the patch below?  I know next to nothing about
> cryptography, and I'm not sure I understood all the flags involved in
> these APIs.

Sure! But please bear in mind I'm not experienced in crypto
either.

With regard to API usage: The call to CryptAcquireContext looks good
to me. (The comment about interoperability in the documentation for
the parameter "pszProvider" does not apply as we are not inter-
operating with anything. Setting "pszContainer" to NULL, as you have
done, is explicitly recommended. The docs for the individual flags
entail the very value of "dwFlags" that you use.) I can see nothing
else to comment on.

Re performance: using CryptGenRandom to provide a seed for srand
is enough to address Demetri's concern. For performance reasons,
as you said, implementing random() with CryptGenRandom is
potentially bad. I think random() itself should not be changed.

That said, rand() makes me uncomfortable (mostly because of bugs in
long-gone implementations, and superstition). Given the chance I would
replace it with an xorshift* generator. The generator at [1] seeded
with 64 bits from CryptGenRandom should give good performance for
random() and (I guess!) an effectively unassailable server secret.

But I have no good reason to claim that rand() is not good enough.

Thank you Eli.

[1]: https://en.wikipedia.org/w/index.php?title=Xorshift&oldid=697235156#xorshift.2A