247471 2022-11-03 18:19:02 -0700 Audit use of cryptographically random functions 2022-11-10 17:19:17 -0800 1 1 1 Unclassified WebKit Platform WebKit Nightly Build Unspecified Unspecified NEW https://bugs.webkit.org/show_bug.cgi?id=247581 InRadar P2 Normal --- 1 don.olmstead webkit-unassigned darin webkit-bug-importer oldest_to_newest 1910254 0 don.olmstead 2022-11-03 18:19:02 -0700 Cryptographically random numbers are expensive to generate and can have a negative performance impact. Determine if code using them should actually be using them instead of a weak random number. 1910844 1 darin 2022-11-07 12:34:49 -0800 I just noticed that we have two identical functions in two different headers: cryptographicallyRandomNumber cryptographicallyRandomUint32 1910850 2 darin 2022-11-07 12:47:42 -0800 Not necessarily part of this bug, but I suggest we do these 9 things: 1) Change the 3 callers of cryptographicallyRandomUint32 to use cryptographicallyRandomNumber instead. 2) Remove cryptographicallyRandomUint32. 3) Move cryptographicallyRandomUint64 to CryptographicallyRandomNumber.h 4) Move cryptographicallyRandomUnitInterval to CryptographicallyRandomNumber.h. 5) Rename cryptographicallyRandomUint64 to cryptographicallyRandomUInt64 or cryptographicallyRandom<uint64_t>. 6) Consider renaming cryptographicallyRandomNumber to cryptographicallyRandomUInt32 or cryptographicallyRandom<uint32_t>. 7) Consider renaming weakRandom to weakRandomUInt32 or weakRandom<uint32_t>. 8) Consider renaming RandomNumber.h to WeakRandomNumber.h. 9) Document that cryptographicallyRandomUnitInterval has only 32 bits of randomness in it to further discourage uninformed use of it. 1911712 3 webkit-bug-importer 2022-11-10 17:19:17 -0800 <rdar://problem/102219729>