KittyPatch/kitty
1
0
Fork 0
Code Issues Pull Requests Projects Releases Wiki Activity

Use the OS secure random number generator rather than the OpenSSL one to generate IVs

Browse Source 
The OpenSSL one is not fork safe, and in general I trust kernel CSRNG
more than OpenSSL
This commit is contained in:
Kovid Goyal 2022-08-11 05:07:38 +05:30
parent 1348327414
commit b06cbc9465
No known key found for this signature in database
GPG Key ID: 06BC317B515ACE7C
1 changed files with 2 additions and 1 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

3
kitty/crypto.c
View File

@ -6,6 +6,7 @@
*/
#include "data-types.h"
#include "cross-platform-random.h"
#include <openssl/evp.h>
#include <openssl/ec.h>
@ -267,7 +268,7 @@ new_aes256gcmencrypt(PyTypeObject *type, PyObject *args, PyObject *kwds UNUSED)
if (!self) return NULL;
if (!(self->ctx = EVP_CIPHER_CTX_new())) { Py_CLEAR(self); return set_error_from_openssl("Failed to allocate encryption context"); }
if (!(self->iv = PyBytes_FromStringAndSize(NULL, EVP_CIPHER_iv_length(cipher)))) { Py_CLEAR(self); return NULL; }
if (1 != RAND_bytes((unsigned char*)PyBytes_AS_STRING(self->iv), PyBytes_GET_SIZE(self->iv))) { Py_CLEAR(self); return NULL; }
if (!secure_random_bytes((unsigned char*)PyBytes_AS_STRING(self->iv), PyBytes_GET_SIZE(self->iv))) { Py_CLEAR(self); return NULL; }
if (!(self->tag = PyBytes_FromStringAndSize(NULL, 0))) { Py_CLEAR(self); return NULL; }
if (1 != EVP_EncryptInit_ex(self->ctx, EVP_aes_256_gcm(), NULL, key->secret, (const unsigned char*)PyBytes_AS_STRING(self->iv))) {
Py_CLEAR(self); return set_error_from_openssl("Failed to initialize encryption context"); }