fix(rand): Use crypto/rand instead of math/rand in FIPS mode [BE-12071] (#961)

Co-authored-by: codecov-ai[bot] <156709835+codecov-ai[bot]@users.noreply.github.com>

api/chisel/tunnel.go

@@ -4,7 +4,6 @@ import (
 	"encoding/base64"
 	"errors"
 	"fmt"
-	"math/rand"
 	"net"
 	"strings"
 	"time"
@@ -14,6 +13,7 @@ import (
 	"github.com/portainer/portainer/api/internal/edge/cache"
 	"github.com/portainer/portainer/api/internal/endpointutils"
 	"github.com/portainer/portainer/pkg/libcrypto"
+	"github.com/portainer/portainer/pkg/librand"
 
 	"github.com/dchest/uniuri"
 	"github.com/rs/zerolog/log"
@@ -200,7 +200,9 @@ func (service *Service) getUnusedPort() int {
 
 	conn, err := net.DialTCP("tcp", nil, &net.TCPAddr{IP: net.IPv4(127, 0, 0, 1), Port: port})
 	if err == nil {
-		conn.Close()
+		if err := conn.Close(); err != nil {
+			log.Warn().Msg("failed to close tcp connection that checks if port is free")
+		}
 
 		log.Debug().
 			Int("port", port).
@@ -213,7 +215,7 @@ func (service *Service) getUnusedPort() int {
 }
 
 func randomInt(min, max int) int {
-	return min + rand.Intn(max-min)
+	return min + librand.Intn(max-min)
 }
 
 func generateRandomCredentials() (string, string) {

api/chisel/tunnel_test.go

@@ -0,0 +1,79 @@
+package chisel
+
+import (
+	"net"
+	"strings"
+	"testing"
+
+	portainer "github.com/portainer/portainer/api"
+	"github.com/portainer/portainer/api/dataservices"
+)
+
+type testSettingsService struct {
+	dataservices.SettingsService
+}
+
+func (s *testSettingsService) Settings() (*portainer.Settings, error) {
+	return &portainer.Settings{
+		EdgeAgentCheckinInterval: 1,
+	}, nil
+}
+
+type testStore struct {
+	dataservices.DataStore
+}
+
+func (s *testStore) Settings() dataservices.SettingsService {
+	return &testSettingsService{}
+}
+
+func TestGetUnusedPort(t *testing.T) {
+	testCases := []struct {
+		name            string
+		existingTunnels map[portainer.EndpointID]*portainer.TunnelDetails
+		expectedError   error
+	}{
+		{
+			name: "simple case",
+		},
+		{
+			name: "existing tunnels",
+			existingTunnels: map[portainer.EndpointID]*portainer.TunnelDetails{
+				portainer.EndpointID(1): {
+					Port: 53072,
+				},
+				portainer.EndpointID(2): {
+					Port: 63072,
+				},
+			},
+		},
+	}
+
+	for _, tc := range testCases {
+		t.Run(tc.name, func(t *testing.T) {
+			store := &testStore{}
+			s := NewService(store, nil, nil)
+			s.activeTunnels = tc.existingTunnels
+			port := s.getUnusedPort()
+
+			if port < 49152 || port > 65535 {
+				t.Fatalf("Expected port to be inbetween 49152 and 65535 but got %d", port)
+			}
+
+			for _, tun := range tc.existingTunnels {
+				if tun.Port == port {
+					t.Fatalf("returned port %d already has an existing tunnel", port)
+				}
+			}
+
+			conn, err := net.DialTCP("tcp", nil, &net.TCPAddr{IP: net.IPv4(127, 0, 0, 1), Port: port})
+			if err == nil {
+				// Ignore error
+				_ = conn.Close()
+				t.Fatalf("expected port %d to be unused", port)
+			} else if !strings.Contains(err.Error(), "connection refused") {
+				t.Fatalf("unexpected error: %v", err)
+			}
+		})
+	}
+}

api/internal/randomstring/random_string.go

@@ -1,6 +1,6 @@
 package randomstring
 
-import "math/rand"
+import "github.com/portainer/portainer/pkg/librand"
 
 const letterBytes = "abcdefghijklmnopqrstuvwxyz0123456789"
 
@@ -8,7 +8,7 @@ const letterBytes = "abcdefghijklmnopqrstuvwxyz0123456789"
 func RandomString(n int) string {
 	b := make([]byte, n)
 	for i := range b {
-		b[i] = letterBytes[rand.Intn(len(letterBytes))]
+		b[i] = letterBytes[librand.Intn(len(letterBytes))]
 	}
 	return string(b)
 }

api/internal/randomstring/random_string_test.go

@@ -0,0 +1,65 @@
+package randomstring
+
+import (
+	"testing"
+
+	"github.com/portainer/portainer/pkg/fips"
+	"github.com/stretchr/testify/require"
+)
+
+func init() {
+	fips.InitFIPS(false)
+}
+
+func TestRandomString(t *testing.T) {
+	testCases := []struct {
+		name     string
+		length   int
+		expected int
+	}{
+		{
+			name:     "zero length",
+			length:   0,
+			expected: 0,
+		},
+		{
+			name:     "short string",
+			length:   5,
+			expected: 5,
+		},
+		{
+			name:     "longer string",
+			length:   20,
+			expected: 20,
+		},
+	}
+
+	for _, tc := range testCases {
+		t.Run(tc.name, func(t *testing.T) {
+			result := RandomString(tc.length)
+			require.Equal(t, tc.expected, len(result))
+
+			// Verify all characters are from the expected alphabet
+			for _, char := range result {
+				require.Contains(t, letterBytes, string(char))
+			}
+		})
+	}
+}
+
+func TestRandomStringUniqueness(t *testing.T) {
+	// Generate multiple random strings and verify they are different
+	const numStrings = 100
+	const stringLength = 10
+
+	generated := make(map[string]bool)
+
+	for range numStrings {
+		str := RandomString(stringLength)
+		require.Equal(t, stringLength, len(str))
+
+		// Check if we've seen this string before (very unlikely for random strings)
+		require.False(t, generated[str], "Generated duplicate random string: %s", str)
+		generated[str] = true
+	}
+}

api/stacks/deployments/deployer_remote.go

@@ -5,13 +5,13 @@ import (
 	"context"
 	"fmt"
 	"io"
-	"math/rand"
 	"os"
 	"strings"
 	"time"
 
 	portainer "github.com/portainer/portainer/api"
 	"github.com/portainer/portainer/api/filesystem"
+	"github.com/portainer/portainer/pkg/librand"
 
 	"github.com/docker/docker/api/types"
 	"github.com/docker/docker/api/types/container"
@@ -210,7 +210,7 @@ func (d *stackDeployer) remoteStack(stack *portainer.Stack, endpoint *portainer.
 			fmt.Sprintf("%s:%s", composeDestination, composeDestination),
 			fmt.Sprintf("%s:%s", targetSocketBindHost, targetSocketBindContainer),
 		},
-	}, nil, nil, fmt.Sprintf("portainer-unpacker-%d-%s-%d", stack.ID, stack.Name, rand.Intn(100)))
+	}, nil, nil, fmt.Sprintf("portainer-unpacker-%d-%s-%d", stack.ID, stack.Name, librand.Intn(100)))
 
 	if err != nil {
 		return errors.Wrap(err, "unable to create unpacker container")

pkg/librand/rand.go

@@ -0,0 +1,47 @@
+package librand
+
+import (
+	"crypto/rand"
+	"fmt"
+	"math/big"
+	mrand "math/rand/v2"
+
+	"github.com/portainer/portainer/pkg/fips"
+)
+
+func Intn(max int) int {
+	return intn(max, fips.FIPSMode())
+}
+
+func intn(max int, fips bool) int {
+	return int(int64n(int64(max), fips))
+}
+
+func int64n(max int64, fips bool) int64 {
+	if !fips {
+		return mrand.Int64N(max)
+	}
+
+	i, err := rand.Int(rand.Reader, big.NewInt(max))
+	if err != nil {
+		panic(fmt.Sprintf("failed to generate a random number: %v", err))
+	}
+	if !i.IsInt64() {
+		panic("generated random number cannot be represented as an int64")
+	}
+
+	return i.Int64()
+}
+
+func Float64() float64 {
+	return randomFloat64(fips.FIPSMode())
+}
+
+func randomFloat64(fips bool) float64 {
+	if !fips {
+		return mrand.Float64()
+	}
+
+	// This is based of this comment https://cs.opensource.google/go/go/+/refs/tags/go1.24.5:src/math/rand/v2/rand.go;l=209
+	return float64(int64n(1<<53, fips) / (1 << 53))
+}

pkg/librand/rand_test.go

@@ -0,0 +1,81 @@
+package librand
+
+import (
+	"testing"
+
+	"github.com/portainer/portainer/pkg/fips"
+)
+
+func init() {
+	fips.InitFIPS(false)
+}
+
+func TestIntn(t *testing.T) {
+	i := Intn(10)
+
+	if i >= 10 || i < 0 {
+		t.Fatalf("random number %d wasn't within interval", i)
+	}
+}
+
+func TestInternalIntn(t *testing.T) {
+	testCases := []struct {
+		name string
+		max  int
+		fips bool
+	}{
+		{
+			name: "non-fips mode",
+			max:  10,
+			fips: false,
+		},
+		{
+			name: "fips mode",
+			max:  10,
+			fips: true,
+		},
+	}
+
+	for _, tc := range testCases {
+		t.Run(tc.name, func(t *testing.T) {
+			i := intn(tc.max, tc.fips)
+
+			if i >= tc.max || i < 0 {
+				t.Fatalf("random number %d wasn't within interval", i)
+			}
+		})
+	}
+}
+
+func TestFloat64(t *testing.T) {
+	f := Float64()
+
+	if f >= 1 || f < 0 {
+		t.Fatalf("random float %v wasn't within interval", f)
+	}
+}
+
+func TestInternalFloat64(t *testing.T) {
+	testCases := []struct {
+		name string
+		fips bool
+	}{
+		{
+			name: "non-fips mode",
+			fips: false,
+		},
+		{
+			name: "fips mode",
+			fips: true,
+		},
+	}
+
+	for _, tc := range testCases {
+		t.Run(tc.name, func(t *testing.T) {
+			f := randomFloat64(tc.fips)
+			if f >= 1 || f < 0 {
+				t.Fatalf("random float %v wasn't within interval", f)
+			}
+		})
+	}
+}