Every few years we need to revisit our entropy collection code in NSS and NSPR, to see if it is still adequate and if OS changes made since we last visited it have lessened its effectiveness. Ben Goodger recently asked about how we gather entropy on Windows systems, and so I took a look at it again for the first time since I worked on it for WinCE (Pocket PC 2002) 4 years ago. I didn't like what I found. The good news is that this is not the only source of entropy on Windows systems. Among the various sources examined for Windows, NSS looks through the files in \Windows\Temporary Internet Files (recursively) \Temp (non-recursively) \Windows (non-recursively) IIRC, those directories always existed on Win9x, WinME, WinCE, and WinNT, and maybe Win2k, but \Temp and \Windows\Temporary Internet Files don't always exist with WinXP. In fact, they don't exist on this box from which I am now writing. Seems that Temporary Internet Files now commonly exists as a subdirectory of C:\Documents and Settings\<user>\Local Settings and likewise Temp exists as a subdirectory of those same directories. But in addition, there is a c:\windows\temp and a C:\windows\temp\Temporary Internet Files on my WinXP box. So, I'm thinking we should add C:\Documents and Settings\<user>\Local Settings\Temp and C:\Documents and Settings\<user>\Local Settings\Temporary Internet Files to the lists of directories that NSS examines for entropy upon startup. I htink this bug should remain "security sensitive" until this is resolved.
fwiw, xpcom/io uses GetTempPathW / GetTempPathA to get the temp path. it uses SHGetSpecialFolderLocation with SHGetPathFromIDListA CSIDL_INTERNET_CACHE http://msdn.microsoft.com/library/default.asp?url=/library/en-us/wceui40/html/cerefSHGetSpecialFolderPath.asp
Re-reading the sources, I see that the use of those hard-coded paths is only for WinCE. So maybe this aspect of this bug is a false alarm.
Narrowing scope of this bug to WinCE. Will file another RFE for broader scope
Assignee: neil.williams → dougt
OS: Windows XP → Windows CE
Priority: -- → P3
Hardware: PC → PocketPC
Summary: Time for another periodic revisitation of NSS's entropy collection → Don't use hard coded path names for system files on WinCE
Actually one more note: This PRNG seeding code was supposed to have been moved from NSS to NSPR years ago, since it is platform dependent. I think that work was begun but perhaps not completed. Now might be a good time to complete that work. This bug might be a good reason to do so.
QA Contact: alexei.volkov.bugs → libraries
not actively working on this, feel free to help yourself.
Assignee: doug.turner → nobody
OS: Windows CE → Windows Mobile 6 Standard
this was fixed in bug 466745
Status: NEW → RESOLVED
Last Resolved: 9 years ago
Resolution: --- → FIXED
Target Milestone: --- → 3.12.3
You need to log in before you can comment on or make changes to this bug.