-
Notifications
You must be signed in to change notification settings - Fork 559
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Consider changing calls from GetNonZeroBytes to GetBytes #4377
Milestone
Comments
This was referenced Sep 25, 2020
This is actually dead code, this method was pulled in by mistake and is only used in NetFx by server side code. So the action here is to remove the the entire ProcessRstAndIssueKey method. |
@imcarolwang could try to submit a PR for this issue? |
Merged
This is now fixed |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
The file https://github.com/dotnet/wcf/blob/master/src/System.Private.ServiceModel/src/System/ServiceModel/Security/WSTrust.cs contains two calls to
RandomNumberGenerator.GetNonZeroBytes
. Is it intentional that this code useGetNonZeroBytes
over the preferred APIRandomNumberGenerator.GetBytes
? UsingGetNonZeroBytes
reduces entropy somewhat, so it should only be used when the caller absolutely needs to prevent any zero bytes from being included in the buffer.The text was updated successfully, but these errors were encountered: