diff options
| author | Frank Denis <github@pureftpd.org> | 2020-10-09 14:33:16 +0200 |
|---|---|---|
| committer | Andrew Kelley <andrew@ziglang.org> | 2020-10-15 20:57:16 -0400 |
| commit | 51a3d0603c116d99c0a93dd451a69c79dd0cbca2 (patch) | |
| tree | fde3b301f1e668a35ebf62fd5fc809b41a4a9790 /test/stack_traces.zig | |
| parent | f701459f04e24a46faf3edc5121f81fbf132f436 (diff) | |
| download | zig-51a3d0603c116d99c0a93dd451a69c79dd0cbca2.tar.gz zig-51a3d0603c116d99c0a93dd451a69c79dd0cbca2.zip | |
std.rand: set DefaultCsprng to Gimli, and require a larger seed
`DefaultCsprng` is documented as a cryptographically secure RNG.
While `ISAAC` is a CSPRNG, the variant we have, `ISAAC64` is not.
A 64 bit seed is a bit small to satisfy that claim.
We also saw it being used with the current date as a seed, that
also defeats the point of a CSPRNG.
Set `DefaultCsprng` to `Gimli` instead of `ISAAC64`, rename
the parameter from `init_s` to `secret_seed` + add a comment to
clarify what kind of seed is expected here.
Instead of directly touching the internals of the Gimli implementation
(which can change/be architecture-specific), add an `init()` function
to the state.
Our Gimli-based CSPRNG was also not backtracking resistant. Gimli
is a permutation; it can be reverted. So, if the state was ever leaked,
future secrets, but also all the previously generated ones could be
recovered. Clear the rate after a squeeze in order to prevent this.
Finally, a dumb test was added just to exercise `DefaultCsprng` since
we don't use it anywhere.
Diffstat (limited to 'test/stack_traces.zig')
0 files changed, 0 insertions, 0 deletions