Bug 169860 - ARC4RandomNumberGenerator should discard 3072 bytes instead of 256 bytes
Summary: ARC4RandomNumberGenerator should discard 3072 bytes instead of 256 bytes
Status: NEW
Alias: None
Product: WebKit
Classification: Unclassified
Component: Web Template Framework (show other bugs)
Version: WebKit Nightly Build
Hardware: Unspecified Unspecified
: P2 Normal
Assignee: Nobody
URL:
Keywords:
Depends on:
Blocks:
 
Reported: 2017-03-19 09:23 PDT by Pirabarlen Cheenaramen
Modified: 2019-06-16 21:28 PDT (History)
9 users (show)

See Also:


Attachments
Discard 3072 bytes instead of 256 bytes (804 bytes, patch)
2017-03-19 09:36 PDT, Pirabarlen Cheenaramen
mark.lam: review-
Details | Formatted Diff | Diff

Note You need to log in before you can comment on or make changes to this bug.
Description Pirabarlen Cheenaramen 2017-03-19 09:23:44 PDT
Discard 3072 bytes instead of 256 bytes
Comment 1 Pirabarlen Cheenaramen 2017-03-19 09:36:31 PDT
Created attachment 304896 [details]
Discard 3072 bytes instead of 256 bytes
Comment 2 Pirabarlen Cheenaramen 2017-03-19 09:38:40 PDT
This follows the recommendations outlined in Network Operations Division 
Cryptographic Requirements published on wikileaks on March 2017. 
We discard more bytes of the first keystream to reduce possibility of 
non-random bytes.
Comment 3 Pirabarlen Cheenaramen 2017-03-20 22:54:03 PDT
This change is similar to https://svnweb.freebsd.org/base?view=revision&revision=315225
Comment 4 Mark Lam 2017-03-24 09:41:06 PDT
Comment on attachment 304896 [details]
Discard 3072 bytes instead of 256 bytes

Thank you for writing up a patch.  I'm not sure I'm knowledgeable enough to review this patch, but for starters, you need to create a ChangeLog entry, and document why you're making this change in there.  See https://webkit.org/contributing-code/ for the process.  r- for now because the ChangeLog is missing.
Comment 5 Oliver Hunt 2017-03-27 13:25:45 PDT
I believe the correct thing to do is to just drop rc4 (for which there is a separate patch)
Comment 6 Joseph Pecoraro 2017-06-16 19:21:55 PDT
(In reply to Oliver Hunt from comment #5)
> I believe the correct thing to do is to just drop rc4 (for which there is a
> separate patch)

Did that end up happening?

The code in Source/WTF/wtf/CryptographicallyRandomNumber.cpp appears unchanged.