Jeffrey Walton wrote:
> This does not quite look right:
>
> ARC4RANDOM_EXPORT void
> arc4random_addrandom(const unsigned char *dat, int datlen)
> {
> int j;
> _ARC4_LOCK();
> if (!rs_initialized)
> arc4_stir();
> for (j = 0; j < datlen; j += 256) {
> /* arc4_addrandom() ignores all but the first 256 bytes of
> * its input. We want to make sure to look at ALL the
> * data in 'dat', just in case the user is doing something
> * crazy like passing us all the files in /var/log. */
> arc4_addrandom(dat + j, datlen - j);
> }
> _ARC4_UNLOCK();
> }
>
> It looks like its a O(n^2) algorithm, and it could be painful if all
It looks - but it is not. Please re-read above comment again.
> the data in /var/log is passed in.
>
> Iter 0:
> data + 0, datalen - 0
arc4_addrandom process only MIN(datalen - 0, 256)
[etc]
> It feels like it should be:
>
> k = min(256, datlen - j);
> arc4_addrandom(dat + j, k);
This logic is already in the arc4_addrandom()
BTW, openbsd already transitioned their arc4random implementation from RC4 to
CHACHA.
Probably, libevent should follow suit.
If evutil_rand claim it is "secure PRNG code", it should be really "secure
PRNG"; RC4 is not completely broken yet, but there are some rather troubling
attacks, and it is already considered unsafe for any non-legacy use (and there
are no backward-compatibility issues in PRNG).
_______________________________________________
Libevent-users mailing list
Libevent-users@monkey.org
http://lists.monkey.org:8080/listinfo/libevent-users
