random: seed math/rand in one place with crypto strong seed #4783
This shouldn't be read as encouraging the use of math/rand instead of crypto/rand in security sensitive contexts, rather as a safer default if that does happen by accident.
This commit is contained in:
Nick Craig-Wood
parent
7985df3768
commit
f0905499e3
4 changed files with 35 additions and 5 deletions
|
|
@ -4,6 +4,7 @@ package random
|
|||
import (
|
||||
cryptorand "crypto/rand"
|
||||
"encoding/base64"
|
||||
"encoding/binary"
|
||||
mathrand "math/rand"
|
||||
|
||||
"github.com/pkg/errors"
|
||||
|
|
@ -52,3 +53,19 @@ func Password(bits int) (password string, err error) {
|
|||
password = base64.RawURLEncoding.EncodeToString(pw)
|
||||
return password, nil
|
||||
}
|
||||
|
||||
// Seed the global math/rand with crypto strong data
|
||||
//
|
||||
// This doesn't make it OK to use math/rand in crypto sensitive
|
||||
// environments - don't do that! However it does help to mitigate the
|
||||
// problem if that happens accidentally. This would have helped with
|
||||
// CVE-2020-28924 - #4783
|
||||
func Seed() error {
|
||||
var seed int64
|
||||
err := binary.Read(cryptorand.Reader, binary.LittleEndian, &seed)
|
||||
if err != nil {
|
||||
return errors.Wrap(err, "failed to read random seed")
|
||||
}
|
||||
mathrand.Seed(seed)
|
||||
return nil
|
||||
}
|
||||
|
|
|
|||
Loading…
Add table
Add a link
Reference in a new issue