On Nov 15, 2007 12:30 PM, Alex Ionescu ionucu@videotron.ca wrote:
"HCRYPTHASH hPrivate; /*CSP's handle - Should not be given to application under any circumstances!*/"
Are Wine people aware that DLLs load in the same address space as applications? There is no way to protect this handle from the application unless you store it in kernel-mode.
I am sure the guys working on this code now are aware of it. That comment was written back in 2002 by someone I've never even hear of so I expect it was a bit of a hack to get some application to work.
http://source.winehq.org/git/wine.git/?a=commit;h=e8273d60562acb5135c49e90d8...
And I don't know what applications are using this functionality that they would have had to implement it. I guess the Wine developers just don't care. I don't really know anything about the context of this but I guess they figure it does not really matter if its insecure as there are tons of other vectors to exploit in Wine and if something bypasses the traditional Unix security all is lost anyway.
I am not really qualified to comment on this. If you would like I will ask Juan Lang if he wants to implement it properly in Wine via a kernel module or something. He has been the one recently working on crypto service providers and friends so I can direct any questions you might have to him.