Drop 4096 bytes of the early keystream

[loganaden]

It might be safer to drop 4096 bytes to be on the safe side.

See: https://twitter.com/nugxperience/status/1773906926503591970

[Coeur]

It's 2024 and all the systems have arc4random natively. I feel we should just delete our arc4random.c instead of maintaining it.

[loganaden]

I shall prepare a diff to do that then ?

[Coeur]

No. I'm reading through the history. I see:

Add an arc4random implementation for use by evdns

Previously, evdns was at the mercy of the user for providing a good
entropy source; without one, it would be vulnerable to various
active attacks.

This patch adds a port of OpenBSD's arc4random() calls to Libevent
[port by Chris Davis], and wraps it up a little bit so we can use it
more safely.

So better, can we re-align our implementation with newer implementations based on Chacha instead of RC4?

• OpenBSD:
  https://github.com/libressl/openbsd/blob/master/src/lib/libc/crypt/arc4random.c

• GNU C Library:
  https://sourceware.org/git/?p=glibc.git;a=blob_plain;f=stdlib/arc4random.c

[Coeur]

I shall prepare a diff to do that then ?

On second thought, maybe yes, you can propose a pull request that removes "arc4random.c". I do not know what @azat or @nmathewson would think of it, but I would support that nowadays people should rely on their system's implementation of arc4random (or the one from GNU C Library if their system doesn't have arc4random natively) instead of having it poorly maintained by libevent: https://en.wikipedia.org/wiki/RC4#Security

As of 2015, there is speculation that some state cryptologic agencies may possess the capability to break RC4 when used in the TLS protocol. IETF has published RFC 7465 to prohibit the use of RC4 in TLS; Mozilla and Microsoft have issued similar recommendations.

That file should have moved to ChaCha many years ago otherwise. I believe OpenBSD moved to ChaCha in 2013.

[loganaden]

Let's wait for others to weigh in and then I prepare the updated PR.