mirror of
https://codeberg.org/ziglang/zig.git
synced 2025-12-07 14:24:43 +00:00
51a3d0603c
`DefaultCsprng` is documented as a cryptographically secure RNG. While `ISAAC` is a CSPRNG, the variant we have, `ISAAC64` is not. A 64 bit seed is a bit small to satisfy that claim. We also saw it being used with the current date as a seed, that also defeats the point of a CSPRNG. Set `DefaultCsprng` to `Gimli` instead of `ISAAC64`, rename the parameter from `init_s` to `secret_seed` + add a comment to clarify what kind of seed is expected here. Instead of directly touching the internals of the Gimli implementation (which can change/be architecture-specific), add an `init()` function to the state. Our Gimli-based CSPRNG was also not backtracking resistant. Gimli is a permutation; it can be reverted. So, if the state was ever leaked, future secrets, but also all the previously generated ones could be recovered. Clear the rate after a squeeze in order to prevent this. Finally, a dumb test was added just to exercise `DefaultCsprng` since we don't use it anywhere. |
||
|---|---|---|
| .. | ||
| 25519 | ||
| aes | ||
| aegis.zig | ||
| aes.zig | ||
| aes_gcm.zig | ||
| benchmark.zig | ||
| blake2.zig | ||
| blake3.zig | ||
| chacha20.zig | ||
| ghash.zig | ||
| gimli.zig | ||
| hkdf.zig | ||
| hmac.zig | ||
| md5.zig | ||
| modes.zig | ||
| pbkdf2.zig | ||
| poly1305.zig | ||
| sha1.zig | ||
| sha2.zig | ||
| sha3.zig | ||
| siphash.zig | ||
| test.zig | ||