@@ -49,9 +49,25 @@ const TRUE: BOOL = 1;
4949#[ inline]
5050pub fn fill_inner ( dest : & mut [ MaybeUninit < u8 > ] ) -> Result < ( ) , Error > {
5151 let result = unsafe { ProcessPrng ( dest. as_mut_ptr ( ) . cast :: < u8 > ( ) , dest. len ( ) ) } ;
52- // `ProcessPrng` is documented to always return TRUE. All potential errors are handled
53- // during loading of `BCryptPrimitive.dll`. See the "Process base PRNG" section
54- // in the aforementioned Windows RNG whitepaper for more information.
55- debug_assert ! ( result == TRUE ) ;
56- Ok ( ( ) )
52+ // On Windows 10 and later, `ProcessPrng` is documented to always return
53+ // TRUE. All potential errors are handled during loading of
54+ // `BCryptPrimitive.dll`. See the "Process base PRNG" section in the
55+ // aforementioned Windows RNG whitepaper for more information.
56+ //
57+ // The Zig project found that Windows 8 implements `ProcessPrng` in a way
58+ // that may fail and return a value other than `TRUE`. Although recent
59+ // versions of the Rust toolchain do not support Windows 8, we cannot rule
60+ // out this backend being used in an executable that will run on Windows 8
61+ // (e.g. a fork of this crate backported to have an MSRV lower than 1.76,
62+ // or a fork of the Rust toolchain to support older Windows versions, or
63+ // other build hacks).
64+ //
65+ // Further, Wine's implementation of `ProcessPrng` CAN fail, in every
66+ // version through Wine 11.2, and this may be the case for any other Windows
67+ // emulation layers.
68+ if result == TRUE {
69+ Ok ( ( ) )
70+ } else {
71+ Err ( Error :: UNEXPECTED )
72+ }
5773}
0 commit comments