replace math/rand with crypto/rand when generating secrets

jason919 · Jan 7, 2023 · 0ac7de2 · 0ac7de2
1 parent 2cc00b9
commit 0ac7de2
Show file tree

Hide file tree

Showing 2 changed files with 53 additions and 40 deletions.
diff --git a/server/validate/email/validate.go b/server/validate/email/validate.go
@@ -3,11 +3,13 @@ package email
 
 import (
 	"bytes"
+	crand "crypto/rand"
 	"crypto/tls"
 	"encoding/base64"
 	"encoding/json"
 	"errors"
 	"fmt"
+	"math/big"
 	"math/rand"
 	"mime"
 	qp "mime/quotedprintable"
@@ -363,8 +365,11 @@ func (v *validator) Request(user t.Uid, email, lang, resp string, tmpToken []byt
 	base64.StdEncoding.Encode(token, tmpToken)
 
 	// Generate expected response as a random numeric string between 0 and 999999.
-	// The PRNG is already initialized in main.go. No need to initialize it here again.
-	resp = strconv.FormatInt(int64(rand.Intn(maxCodeValue)), 10)
+	code, err := crand.Int(crand.Reader, big.NewInt(maxCodeValue))
+	if err != nil {
+		return false, err
+	}
+	resp = strconv.FormatInt(code.Int64(), 10)
 	resp = strings.Repeat("0", codeLength-len(resp)) + resp
 
 	var template *textt.Template
@@ -480,7 +485,6 @@ func (v *validator) Remove(user t.Uid, value string) error {
 }
 
 // SendMail replacement
-//
 func (v *validator) sendMail(rcpt []string, msg []byte) error {
 
 	client, err := smtp.Dial(v.SMTPAddr + ":" + v.SMTPPort)

diff --git a/tinode-db/main.go b/tinode-db/main.go
@@ -1,6 +1,7 @@
 package main
 
 import (
+	crand "crypto/rand"
 	"encoding/json"
 	"flag"
 	"io/ioutil"
@@ -51,24 +52,25 @@ type DefAccess struct {
 
 /*
 User object in data.json
-   "createdAt": "-140h",
-   "email": "alice@example.com",
-   "tel": "17025550001",
-   "passhash": "alice123",
-   "private": {"comment": "some comment 123"},
-   "public": {"fn": "Alice Johnson", "photo": "alice-64.jpg", "type": "jpg"},
-   "state": "ok",
-   "authLevel": "auth",
-   "status": {
-     "text": "DND"
-   },
-   "username": "alice",
-	"tags": ["tag1"],
-	"addressBook": ["email:bob@example.com", "email:carol@example.com", "email:dave@example.com",
-		"email:eve@example.com","email:frank@example.com","email:george@example.com","email:tob@example.com",
-		"tel:17025550001", "tel:17025550002", "tel:17025550003", "tel:17025550004", "tel:17025550005",
-		"tel:17025550006", "tel:17025550007", "tel:17025550008", "tel:17025550009"]
-  }
+
+	   "createdAt": "-140h",
+	   "email": "alice@example.com",
+	   "tel": "17025550001",
+	   "passhash": "alice123",
+	   "private": {"comment": "some comment 123"},
+	   "public": {"fn": "Alice Johnson", "photo": "alice-64.jpg", "type": "jpg"},
+	   "state": "ok",
+	   "authLevel": "auth",
+	   "status": {
+	     "text": "DND"
+	   },
+	   "username": "alice",
+		"tags": ["tag1"],
+		"addressBook": ["email:bob@example.com", "email:carol@example.com", "email:dave@example.com",
+			"email:eve@example.com","email:frank@example.com","email:george@example.com","email:tob@example.com",
+			"tel:17025550001", "tel:17025550002", "tel:17025550003", "tel:17025550004", "tel:17025550005",
+			"tel:17025550006", "tel:17025550007", "tel:17025550008", "tel:17025550009"]
+	  }
 */
 type User struct {
 	CreatedAt   string      `json:"createdAt"`
@@ -89,11 +91,11 @@ type User struct {
 /*
 GroupTopic object in data.json
 
-   "createdAt": "-128h",
-   "name": "*ABC",
-   "owner": "carol",
-   "channel": true,
-   "public": {"fn": "Let's talk about flowers", "photo": "abc-64.jpg", "type": "jpg"}
+	"createdAt": "-128h",
+	"name": "*ABC",
+	"owner": "carol",
+	"channel": true,
+	"public": {"fn": "Let's talk about flowers", "photo": "abc-64.jpg", "type": "jpg"}
 */
 type GroupTopic struct {
 	CreatedAt    string    `json:"createdAt"`
@@ -110,13 +112,13 @@ type GroupTopic struct {
 /*
 GroupSub object in data.json
 
- "createdAt": "-112h",
- "private": "My super cool group topic",
- "topic": "*ABC",
- "user": "alice",
- "asChan: false,
- "want": "JRWPSA",
- "have": "JRWP"
+	"createdAt": "-112h",
+	"private": "My super cool group topic",
+	"topic": "*ABC",
+	"user": "alice",
+	"asChan: false,
+	"want": "JRWPSA",
+	"have": "JRWP"
 */
 type GroupSub struct {
 	CreatedAt string   `json:"createdAt"`
@@ -133,8 +135,10 @@ P2PUser topic in data.json
 
 "createdAt": "-117h",
 "users": [
-  {"name": "eve", "private": {"comment":"ho ho"}, "want": "JRWP", "have": "N"},
-  {"name": "alice", "private": {"comment": "ha ha"}}
+
+	{"name": "eve", "private": {"comment":"ho ho"}, "want": "JRWP", "have": "N"},
+	{"name": "alice", "private": {"comment": "ha ha"}}
+
 ]
 */
 type P2PUser struct {
@@ -172,20 +176,25 @@ func genTopicName() string {
 func getPassword(n int) string {
 	const letters = "abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ0123456789-/.+?=&"
 
-	b := make([]byte, n)
-	for i := range b {
-		b[i] = letters[rand.Intn(len(letters))]
+	rbuf := make([]byte, n)
+	if _, err := crand.Read(rbuf); err != nil {
+		log.Fatalln("Unable to generate password", err)
+	}
+
+	passwd := make([]byte, n)
+	for i, r := range rbuf {
+		passwd[i] = letters[int(r)%len(letters)]
 	}
 
-	return string(b)
+	return string(passwd)
 }
 
 func main() {
 	reset := flag.Bool("reset", false, "force database reset")
 	upgrade := flag.Bool("upgrade", false, "perform database version upgrade")
 	noInit := flag.Bool("no_init", false, "check that database exists but don't create if missing")
 	addRoot := flag.String("add_root", "", "create ROOT user")
-	makeRoot := flag.String("make_root", "", "promote ordinary user to root")
+	// makeRoot := flag.String("make_root", "", "promote ordinary user to root")
 	datafile := flag.String("data", "", "name of file with sample data to load")
 	conffile := flag.String("config", "./tinode.conf", "config of the database connection")