diff --git a/contrib/token-server/main.go b/contrib/token-server/main.go index 8f9029ea..ef699c7f 100644 --- a/contrib/token-server/main.go +++ b/contrib/token-server/main.go @@ -2,9 +2,10 @@ package main import ( "context" + "crypto/rand" "encoding/json" "flag" - "math/rand" + "math/big" "net/http" "strconv" "strings" @@ -141,8 +142,15 @@ const refreshTokenLength = 15 func newRefreshToken() string { s := make([]rune, refreshTokenLength) + max := int64(len(refreshCharacters)) for i := range s { - s[i] = refreshCharacters[rand.Intn(len(refreshCharacters))] + randInt, err := rand.Int(rand.Reader, big.NewInt(max)) + // let '0' serves the failure case + if err != nil { + logrus.Infof("Error on making refersh token: %v", err) + randInt = big.NewInt(0) + } + s[i] = refreshCharacters[randInt.Int64()] } return string(s) } diff --git a/registry/handlers/app.go b/registry/handlers/app.go index b9fbf3da..8a30bd4d 100644 --- a/registry/handlers/app.go +++ b/registry/handlers/app.go @@ -2,10 +2,11 @@ package handlers import ( "context" - cryptorand "crypto/rand" + "crypto/rand" "expvar" "fmt" - "math/rand" + "math" + "math/big" "net" "net/http" "net/url" @@ -610,7 +611,7 @@ func (app *App) configureLogHook(configuration *configuration.Configuration) { func (app *App) configureSecret(configuration *configuration.Configuration) { if configuration.HTTP.Secret == "" { var secretBytes [randomSecretSize]byte - if _, err := cryptorand.Read(secretBytes[:]); err != nil { + if _, err := rand.Read(secretBytes[:]); err != nil { panic(fmt.Sprintf("could not generate random bytes for HTTP secret: %v", err)) } configuration.HTTP.Secret = string(secretBytes[:]) @@ -1060,8 +1061,13 @@ func startUploadPurger(ctx context.Context, storageDriver storagedriver.StorageD } go func() { - rand.Seed(time.Now().Unix()) - jitter := time.Duration(rand.Int()%60) * time.Minute + randInt, err := rand.Int(rand.Reader, new(big.Int).SetInt64(math.MaxInt64)) + if err != nil { + log.Infof("Failed to generate random jitter: %v", err) + // sleep 30min for failure case + randInt = big.NewInt(30) + } + jitter := time.Duration(randInt.Int64()%60) * time.Minute log.Infof("Starting upload purge in %s", jitter) time.Sleep(jitter)