Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

SHA1PRNG forced in SecureRandom #558

Closed
nicolasbon38 opened this issue Feb 20, 2024 · 2 comments
Closed

SHA1PRNG forced in SecureRandom #558

nicolasbon38 opened this issue Feb 20, 2024 · 2 comments

Comments

@nicolasbon38
Copy link

In the KeyHelper class, an instance of SecureRandom is created and "SHA1PRNG" is passed to the constructor.

Why did you do this choice ? Wouldn't calling the constructor without argument to let the best PRNG on a given platform to be picked ?
@jrose-signal
Copy link
Contributor

Excitingly, that code is over ten years old! Well before my time at Signal, and before I did anything with Android.

Given that we use the default SecureRandom elsewhere in libsignal, it would make sense to do the same here. There isn't even a performance argument, since registration IDs are only generated at registration and when you change your number.

@jrose-signal
Copy link
Contributor

Ha, I accidentally autoclosed this with the fix in the private pre-release repo. The hardcoding of SHA1PRNG will be removed in the next release of libsignal, thanks for calling it out!

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@nicolasbon38 @jrose-signal