Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

entropy_poll uses disallowed API when building for Windows Store #966

Closed
borrrden opened this issue Jun 15, 2017 · 7 comments
Closed

entropy_poll uses disallowed API when building for Windows Store #966

borrrden opened this issue Jun 15, 2017 · 7 comments
Labels
component-crypto Crypto primitives and low-level interfaces enhancement

Comments

@borrrden
Copy link

CryptGenRandom is not allowed for use in Windows Store (aka UWP) applications. There is another function called BCryptGenRandom which is allowed, but only supported on Vista onward. This may or may not be acceptable, but there is also an #ifdef that can be used to choose. If you want I can make a PR, but it will consist of this around the top of entropy_poll.c:

#if WINAPI_FAMILY_PARTITION(WINAPI_PARTITION_DESKTOP)
int mbedtls_platform_entropy_poll(void *data, unsigned char *output, size_t len,
    size_t *olen)
{
    HCRYPTPROV provider;
    ((void)data);
    *olen = 0;

    if (CryptAcquireContext(&provider, NULL, NULL,
        PROV_RSA_FULL, CRYPT_VERIFYCONTEXT) == FALSE)
    {
        return(MBEDTLS_ERR_ENTROPY_SOURCE_FAILED);
    }

    if (CryptGenRandom(provider, (DWORD)len, output) == FALSE)
    {
        CryptReleaseContext(provider, 0);
        return(MBEDTLS_ERR_ENTROPY_SOURCE_FAILED);
    }

    CryptReleaseContext(provider, 0);
    *olen = len;

    return(0);
}
#else
    #include <bcrypt.h>

    int mbedtls_platform_entropy_poll(void *data, unsigned char *output, size_t len,
        size_t *olen)
    {
        NTSTATUS status = BCryptGenRandom(NULL, output, len, BCRYPT_USE_SYSTEM_PREFERRED_RNG);
        if (status < 0) {
            return(MBEDTLS_ERR_ENTROPY_SOURCE_FAILED);
        }

        return 0;
    }
#endif

Of course if you have a better idea I am very open to it!
@ciarmcom
Copy link

ARM Internal Ref: IOTSSL-1471

@borrrden
Copy link
Author

borrrden commented Jun 19, 2017
edited
Loading

Oh, just as an FYI, this is also of course achievable now without any source code changes on the mbed side. If you are building for Windows Store add the MBED_PLATFORM_NO_ENTROPY define to your build and then register the handler I mentioned above using mbedtls_entropy_add_source() as described in this document (make sure you add it as a "strong" source)

@RonEld
Copy link
Contributor

RonEld commented Jun 20, 2017

Hi @borrrden thanks for your update. Yes, it can be done with your correct suggestion. We will internally decide whether we want to support this as a built-in platform entropy poll. Thanks again for your update and fix suggestion!

@RonEld
Copy link
Contributor

RonEld commented Feb 13, 2018

Hi @borrrden Is #730 a possible solution for your issue?

@borrrden
Copy link
Author

Indeed I believe it is! You will lose support for Windows XP I think, if that is a concern, but otherwise the changes in entropy poll look almost identical to the ones I made.

@guilt
Copy link

guilt commented Aug 27, 2018

As a user, I'd like to have both versions so I could ifdef and build two different libraries if needed. I test with a VM once in a while.

@RonEld RonEld added the component-crypto Crypto primitives and low-level interfaces label Feb 14, 2019
@davidhorstmann-arm
Copy link
Contributor

Closing as superseded/duplicated by #1227.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
component-crypto Crypto primitives and low-level interfaces enhancement
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
6 participants
@guilt @daverodgman @borrrden @ciarmcom @RonEld @davidhorstmann-arm