bug#22202: 24.5; SECURITY ISSUE -- Emacs Server vulnerable to random number generator attack on Windows systems

[Eli Zaretskii]

> From: Demetrios Obenour <demetriobenour@gmail.com>
> Cc: David Engster <deng@randomsample.de>, 22202@debbugs.gnu.org
> Date: Thu, 31 Dec 2015 12:04:38 -0500
> 
> The server secret should be entirely obtained from CryptGenRandom (or
> the function RtlGenRandom on which it is based).  The server secret is
> a cryptographic key and should be generated as such.  Using the same
> entropy to seed an insecure PRNG and the server secret is a bad idea --
> the server secret could be guessed based on PRNG output.

I don't understand what you are saying.  server.el doesn't use the
secret, it simply invokes the 'random' function several time to
generate the authentication key.  The secret is used to seed the PRNG
during Emacs startup, and it is used only once.

Given this description, how can the secret be guessed, and what are
the implications of that guess (if indeed it's possible) on the
ability of an attacker to control Emacs via the client socket?

> It would also be nice to expose a CSPRNG to Lisp on all platforms.  I
> know that SLIME could use it on Windows, and it would be nice if one
> could have a just-do-it API for this purpose.  Speed does not matter
> much here.

Patches are welcome, but they should include the same feature for
Posix hosts, probably using /dev/random.