From eb0126764317528cca76175a4bb20a881a50ecc2 Mon Sep 17 00:00:00 2001 From: Henrique Dias Date: Tue, 25 Jul 2017 09:01:29 +0100 Subject: [PATCH] secure key generation --- auth.go | 24 +++++++++++++----------- filemanager.go | 8 +++++++- 2 files changed, 20 insertions(+), 12 deletions(-) diff --git a/auth.go b/auth.go index 4e19ac50..06a61bc6 100644 --- a/auth.go +++ b/auth.go @@ -1,8 +1,8 @@ package filemanager import ( + "crypto/rand" "encoding/json" - "math/rand" "net/http" "strings" "time" @@ -147,15 +147,17 @@ func checkPasswordHash(password, hash string) bool { return err == nil } -const charset = "abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ0123456789" - -// randomString creates a string with a defined length using the above charset. -func randomString(length int) string { - seededRand := rand.New(rand.NewSource(time.Now().UnixNano())) - - b := make([]byte, length) - for i := range b { - b[i] = charset[seededRand.Intn(len(charset))] +// generateRandomBytes returns securely generated random bytes. +// It will return an error if the system's secure random +// number generator fails to function correctly, in which +// case the caller should not continue. +func generateRandomBytes(n int) ([]byte, error) { + b := make([]byte, n) + _, err := rand.Read(b) + // Note that err == nil only if we read len(b) bytes. + if err != nil { + return nil, err } - return string(b) + + return b, nil } diff --git a/filemanager.go b/filemanager.go index 9a8d7762..5951fd70 100644 --- a/filemanager.go +++ b/filemanager.go @@ -163,7 +163,13 @@ func New(database string, base User) (*FileManager, error) { // If it doesn't exist, create a new one of 256 bits. err = db.Get("config", "key", &m.key) if err != nil && err == storm.ErrNotFound { - m.key = []byte(randomString(64)) + var bytes []byte + bytes, err = generateRandomBytes(64) + if err != nil { + return nil, err + } + + m.key = bytes err = db.Set("config", "key", m.key) }