454313 - PR_GetRandomNoise should be reimplemented to read from /dev/urandom

Status: RESOLVED DUPLICATE of bug 455829

(NSPR :: NSPR, defect)

Description

[Wan-Teh Chang]

PR_GetRandomNoise was originally intended to replace the
platform-specific code in NSS's lib/freebl/{unix_rand.c,
win_rand.c}.  Unfortunately, this has two problems.  The
first is an implementation problem.  The second is an
API design problem.

1. The current implementation of PR_GetRandomNoise doesn't
try hard enough, so on most platforms it merely returns a
high-resolution timestamp.

2. Users misunderstand the purpose of PR_GetRandomNoise
(for seeding a PRNG), and use PR_GetRandomNoise as a PRNG.
See http://mxr.mozilla.org/mozilla-central/ident?i=PR_GetRandomNoise

I am afraid that the solution is to deprecate PR_GetRandomNoise,
and reimplement it to read from /dev/urandom.  If you have
better ideas, please let me know.

Comment 1

[Nelson Bolyard (seldom reads bugmail)]

Wan-Teh, do you consider this bug to be a vulnerability that should be kept
secret until it is fixed?  I asked because that is the meaning of the 
"Security Sensitive Core bug" flag that you apparently set on this bug when
you filed it.

Comment 2

[Wan-Teh Chang]

The security vulnerability is in the applications that
incorrectly use PR_GetRandomNoise as a secure PRNG.
Unfortunately we don't have a mailing list similar to
security-group@mozilla.org for notifying NSPR users of
potential security issues.  So I marked this bug as
securiy-sensitive.

Our documentation at
http://developer.mozilla.org/en/NSPR_API_Reference/Random_Number_Generator
actually describes the purpose of this function correctly,
but some users still use this function as a PRNG.

Comment 3

[:Gavin Sharp [email: gavin@gavinsharp.com]]

See bug 455829 comment 9 for a summary of Mozilla callers of this function. This bug looks to be a duplicate of that one.