Use RC4-drop, not RC4

RC4 is broken and is vulnerable to key recovery attacks.
See http://en.wikipedia.org/wiki/RC4#Security

Dropping the first 3072 bytes of the stream makes one of these attacks
harder.  This doesn't fix the problems with using RC4 but it is an
improvement.

These problems are probably theoretical right now because plausible
contemporary threat models don't seem to involve the fake flash drive
trying serious cryptanalysis on our datastream.

Signed-off-by: Ian Jackson <ijackson@chiark.greenend.org.uk>

diff --git a/vbig.cc b/vbig.cc
index 53ef6a575c5c69e2346df0db0a196a474f87e4eb..1823dd316aaacba1cc7d1efb7bea0d6d4e300e29 100644 (file)
--- a/vbig.cc
+++ b/vbig.cc
@@ -192,6 +192,9 @@ static long long execute(mode_type mode, bool entire, const char *show) {
     setvbuf(fp, 0, _IONBF, 0);
   char generated[4096], input[4096];
   long long remain = size;
+  static const size_t rc4drop = 3072; // en.wikipedia.org/wiki/RC4#Security
+  assert(rc4drop <= sizeof(generated));
+  rng.stream(generated, rc4drop);
   while(remain > 0) {
     size_t bytesGenerated = (remain > (ssize_t)sizeof generated
                              ? sizeof generated