Use a CSPRNG for generating salts and nonces (ortuman#110)

sxmpp · Apr 15, 2020 · a0c25ac · a0c25ac
1 parent 645a3a3
commit a0c25ac
Show file tree

Hide file tree

Showing 5 changed files with 27 additions and 59 deletions.
diff --git a/auth/scram.go b/auth/scram.go
@@ -9,6 +9,7 @@ import (
 	"bytes"
 	"context"
 	"crypto/hmac"
+	"crypto/rand"
 	"crypto/sha1"
 	"crypto/sha256"
 	"crypto/sha512"
@@ -22,7 +23,6 @@ import (
 	"github.com/ortuman/jackal/storage/repository"
 	"github.com/ortuman/jackal/stream"
 	"github.com/ortuman/jackal/transport"
-	utilrand "github.com/ortuman/jackal/util/rand"
 	utilstring "github.com/ortuman/jackal/util/string"
 	"github.com/ortuman/jackal/xmpp"
 	"golang.org/x/crypto/pbkdf2"
@@ -223,7 +223,11 @@ func (s *Scram) handleStart(ctx context.Context, elem xmpp.XElement) error {
 	s.user = user
 
 	s.srvNonce = cNonce + "-" + uuid.New().String()
-	s.salt = utilrand.RandomBytes(32)
+	s.salt = make([]byte, 32)
+	_, err = rand.Read(s.salt)
+	if err != nil {
+		return err
+	}
 	sb64 := base64.StdEncoding.EncodeToString(s.salt)
 	s.firstMessage = fmt.Sprintf("r=%s,s=%s,i=%d", s.srvNonce, sb64, iterationsCount)
 

diff --git a/auth/scram_test.go b/auth/scram_test.go
@@ -17,6 +17,7 @@ import (
 	"encoding/base64"
 	"fmt"
 	"hash"
+	"math/rand"
 	"strconv"
 	"strings"
 	"testing"
@@ -25,13 +26,21 @@ import (
 	"github.com/ortuman/jackal/model"
 	"github.com/ortuman/jackal/transport"
 	"github.com/ortuman/jackal/transport/compress"
-	utilrand "github.com/ortuman/jackal/util/rand"
 	utilstring "github.com/ortuman/jackal/util/string"
 	"github.com/ortuman/jackal/xmpp"
 	"github.com/stretchr/testify/require"
 	"golang.org/x/crypto/pbkdf2"
 )
 
+func randomBytes(l int) []byte {
+	b := make([]byte, l)
+	_, err := rand.Read(b)
+	if err != nil {
+		panic(err)
+	}
+	return b
+}
+
 type fakeTransport struct {
 	cbBytes []byte
 }
@@ -106,7 +115,7 @@ var tt = []scramAuthTestCase{
 		id:          4,
 		scramType:   ScramSHA1,
 		usesCb:      true,
-		cbBytes:     utilrand.RandomBytes(23),
+		cbBytes:     randomBytes(23),
 		gs2BindFlag: "p=tls-unique",
 		authID:      "a=jackal.im",
 		n:           "ortuman",
@@ -118,7 +127,7 @@ var tt = []scramAuthTestCase{
 		id:          5,
 		scramType:   ScramSHA256,
 		usesCb:      true,
-		cbBytes:     utilrand.RandomBytes(32),
+		cbBytes:     randomBytes(32),
 		gs2BindFlag: "p=tls-unique",
 		authID:      "a=jackal.im",
 		n:           "ortuman",
@@ -130,7 +139,7 @@ var tt = []scramAuthTestCase{
 		id:          6,
 		scramType:   ScramSHA512,
 		usesCb:      true,
-		cbBytes:     utilrand.RandomBytes(32),
+		cbBytes:     randomBytes(32),
 		gs2BindFlag: "p=tls-unique",
 		authID:      "a=jackal.im",
 		n:           "ortuman",

diff --git a/util/pool/buffer_test.go b/util/pool/buffer_test.go
@@ -6,10 +6,10 @@
 package pool
 
 import (
+	"math/rand"
 	"reflect"
 	"testing"
 
-	utilrand "github.com/ortuman/jackal/util/rand"
 	"github.com/stretchr/testify/require"
 )
 
@@ -22,7 +22,13 @@ func TestBufferPool_GetAndPut(t *testing.T) {
 	require.Equal(t, "*bytes.Buffer", reflect.ValueOf(buf).Type().String())
 
 	buf = p.Get()
-	buf.Write(utilrand.RandomBytes(randomBytesLength))
+
+	randomBytes := make([]byte, randomBytesLength)
+	_, err := rand.Read(randomBytes)
+	if err != nil {
+		t.Errorf("error reading random bytes: %v", err)
+	}
+	buf.Write(randomBytes)
 	require.Equal(t, randomBytesLength, buf.Len())
 	p.Put(buf)
 	buf = p.Get()

diff --git a/util/rand/rand.go b/util/rand/rand.go
diff --git a/util/rand/rand_test.go b/util/rand/rand_test.go