search

o1c-dev / o1c

O(1) Cryptography is an easy to use, hard to misuse Java cryptographic library based on O(1) cryptographic algorithms
ISC License
15 stars 2 forks source link

C implementation of DRBG doesn't appear to mix in entropy #24

Closed matt36 closed 2 years ago

matt36 commented 2 years ago

The C implementation of the DRBG doesn't appear to mix in the gathered entropy, resulting in predictable output.

In the function below the entropy is collected in the local array 'seed', but this is never passed to the hasher.

static void drbg_ensure_init(void) {
    if (!drbg.initialized) {
        drbg.counter = 0;
        uint8_t seed[BLAKE3_KEY_LEN];
        drbg_entropy(seed, BLAKE3_KEY_LEN);
        drbg_ratchet();
        drbg.initialized = true;
    }
}

I think a call to blake3_hasher_init_keyed() would be needed, which I think is equivalent to what the Java version is doing.

jvz commented 2 years ago

Oh yeah that looks like a legit problem, oops!