From f5cf02c54821c02adcdaa5c88a33050fab5fea01 Mon Sep 17 00:00:00 2001
From: Ian Jackson <ijackson@chiark.greenend.org.uk>
Date: Thu, 21 Feb 2013 15:49:53 +0000
Subject: [PATCH] Use RC4-drop, not RC4

RC4 is broken and is vulnerable to key recovery attacks.
See http://en.wikipedia.org/wiki/RC4#Security

Dropping the first 3072 bytes of the stream makes one of these attacks
harder.  This doesn't fix the problems with using RC4 but it is an
improvement.

These problems are probably theoretical right now because plausible
contemporary threat models don't seem to involve the fake flash drive
trying serious cryptanalysis on our datastream.

Signed-off-by: Ian Jackson <ijackson@chiark.greenend.org.uk>
---
 vbig.cc | 3 +++
 1 file changed, 3 insertions(+)

diff --git a/vbig.cc b/vbig.cc
index 53ef6a5..1823dd3 100644
--- a/vbig.cc
+++ b/vbig.cc
@@ -192,6 +192,9 @@ static long long execute(mode_type mode, bool entire, const char *show) {
     setvbuf(fp, 0, _IONBF, 0);
   char generated[4096], input[4096];
   long long remain = size;
+  static const size_t rc4drop = 3072; // en.wikipedia.org/wiki/RC4#Security
+  assert(rc4drop <= sizeof(generated));
+  rng.stream(generated, rc4drop);
   while(remain > 0) {
     size_t bytesGenerated = (remain > (ssize_t)sizeof generated
                              ? sizeof generated
-- 
2.30.2