syncthing/lib/rand/random.go

// Copyright (C) 2014 The Syncthing Authors.
//
// This Source Code Form is subject to the terms of the Mozilla Public
// License, v. 2.0. If a copy of the MPL was not distributed with this file,
// You can obtain one at https://mozilla.org/MPL/2.0/.

// Package rand implements functions similar to math/rand in the standard
// library, but on top of a secure random number generator.
package rand

import (
	"crypto/md5"
	cryptoRand "crypto/rand"
	"encoding/binary"
	"io"
	mathRand "math/rand"
)

// Reader is the standard crypto/rand.Reader, re-exported for convenience
var Reader = cryptoRand.Reader

// randomCharset contains the characters that can make up a randomString().
const randomCharset = "2345679abcdefghijkmnopqrstuvwxyzACDEFGHJKLMNPQRSTUVWXYZ"

var (
	// defaultSecureSource is a concurrency safe math/rand.Source with a
	// cryptographically sound base.
	defaltSecureSource = newSecureSource()

	// defaultSecureRand is a math/rand.Rand based on the secure source.
	defaultSecureRand = mathRand.New(defaltSecureSource)
)

// String returns a strongly random string of characters (taken from
// randomCharset) of the specified length. The returned string contains ~5.8
// bits of entropy per character, due to the character set used.
func String(l int) string {
	bs := make([]byte, l)
	for i := range bs {
		bs[i] = randomCharset[defaultSecureRand.Intn(len(randomCharset))]
	}
	return string(bs)
}

// Int63 returns a strongly random int63
func Int63() int64 {
	return defaltSecureSource.Int63()
}

// Int64 returns a strongly random int64
func Int64() int64 {
	var bs [8]byte
	_, err := io.ReadFull(cryptoRand.Reader, bs[:])
	if err != nil {
		panic("randomness failure: " + err.Error())
	}
	return int64(binary.BigEndian.Uint64(bs[:]))
}

// Intn returns, as an int, a non-negative strongly random number in [0,n).
// It panics if n <= 0.
func Intn(n int) int {
	return defaultSecureRand.Intn(n)
}

// SeedFromBytes calculates a weak 64 bit hash from the given byte slice,
// suitable for use a predictable random seed.
func SeedFromBytes(bs []byte) int64 {
	h := md5.New()
	h.Write(bs)
	s := h.Sum(nil)
	// The MD5 hash of the byte slice is 16 bytes long. We interpret it as two
	// uint64s and XOR them together.
	return int64(binary.BigEndian.Uint64(s[0:]) ^ binary.BigEndian.Uint64(s[8:]))
}
Refactor random string stuff and seeding Make sure we have a good random seed on the default RNG, that the predictable RNG is clearly marked as such, that random strings are actually the length requested, and that they contain a restricted set of characters only. 2014-12-07 15:41:24 +00:00			`// Copyright (C) 2014 The Syncthing Authors.`
			`//`
MPLv2 2015-03-07 20:36:35 +00:00			`// This Source Code Form is subject to the terms of the Mozilla Public`
			`// License, v. 2.0. If a copy of the MPL was not distributed with this file,`
all: Update license url to https (ref #3976) 2017-02-09 06:52:18 +00:00			`// You can obtain one at https://mozilla.org/MPL/2.0/.`
Refactor random string stuff and seeding Make sure we have a good random seed on the default RNG, that the predictable RNG is clearly marked as such, that random strings are actually the length requested, and that they contain a restricted set of characters only. 2014-12-07 15:41:24 +00:00
lib/rand: Break out random functions into separate package The intention for this package is to provide a combination of the security of crypto/rand and the convenience of math/rand. It should be the first choice of random data unless ultimate performance is required and the usage is provably irrelevant from a security standpoint. GitHub-Pull-Request: https://github.com/syncthing/syncthing/pull/3186 2016-05-26 07:02:56 +00:00			`// Package rand implements functions similar to math/rand in the standard`
			`// library, but on top of a secure random number generator.`
			`package rand`
Refactor random string stuff and seeding Make sure we have a good random seed on the default RNG, that the predictable RNG is clearly marked as such, that random strings are actually the length requested, and that they contain a restricted set of characters only. 2014-12-07 15:41:24 +00:00
			`import (`
			`"crypto/md5"`
			`cryptoRand "crypto/rand"`
			`"encoding/binary"`
crypto/rand.Reader may not return all entropy immediately 2014-12-08 18:36:08 +00:00			`"io"`
Refactor random string stuff and seeding Make sure we have a good random seed on the default RNG, that the predictable RNG is clearly marked as such, that random strings are actually the length requested, and that they contain a restricted set of characters only. 2014-12-07 15:41:24 +00:00			`mathRand "math/rand"`
			`)`

lib/rand: Break out random functions into separate package The intention for this package is to provide a combination of the security of crypto/rand and the convenience of math/rand. It should be the first choice of random data unless ultimate performance is required and the usage is provably irrelevant from a security standpoint. GitHub-Pull-Request: https://github.com/syncthing/syncthing/pull/3186 2016-05-26 07:02:56 +00:00			`// Reader is the standard crypto/rand.Reader, re-exported for convenience`
			`var Reader = cryptoRand.Reader`

Refactor random string stuff and seeding Make sure we have a good random seed on the default RNG, that the predictable RNG is clearly marked as such, that random strings are actually the length requested, and that they contain a restricted set of characters only. 2014-12-07 15:41:24 +00:00			`// randomCharset contains the characters that can make up a randomString().`
cmd/syncthing: Use random folder ID for default folder, limit random charset This uses the same charset as the Javascript code, excluding confusing characters like 0, O, I, 1, l etc. GitHub-Pull-Request: https://github.com/syncthing/syncthing/pull/3064 2016-05-09 09:43:40 +00:00			`const randomCharset = "2345679abcdefghijkmnopqrstuvwxyzACDEFGHJKLMNPQRSTUVWXYZ"`
Refactor random string stuff and seeding Make sure we have a good random seed on the default RNG, that the predictable RNG is clearly marked as such, that random strings are actually the length requested, and that they contain a restricted set of characters only. 2014-12-07 15:41:24 +00:00
lib/util: Add secure random numbers source (fixes #3178) The math/rand package contains lots of convenient functions, for example to get an integer in a specified range without running into issues caused by just truncating a number from a different distribution and so on. But it's insecure, and we use if for things that benefit from being more secure like session IDs, CSRF tokens and API keys. This implements a math/rand.Source that reads from crypto/rand.Reader, this bridging the gap between them. It also updates our RandomString to use the new source, thus giving us secure session IDs and CSRF tokens. Some future work remains: - Fix API keys by making the generation in the UI use this code as well - Refactor out these things into an actual random package, and audit our use of randomness everywhere I'll leave both of those for the future in order to not muddy the waters on this diff... GitHub-Pull-Request: https://github.com/syncthing/syncthing/pull/3180 2016-05-25 06:38:38 +00:00			`var (`
			`// defaultSecureSource is a concurrency safe math/rand.Source with a`
			`// cryptographically sound base.`
			`defaltSecureSource = newSecureSource()`

			`// defaultSecureRand is a math/rand.Rand based on the secure source.`
			`defaultSecureRand = mathRand.New(defaltSecureSource)`
			`)`

lib/rand: Break out random functions into separate package The intention for this package is to provide a combination of the security of crypto/rand and the convenience of math/rand. It should be the first choice of random data unless ultimate performance is required and the usage is provably irrelevant from a security standpoint. GitHub-Pull-Request: https://github.com/syncthing/syncthing/pull/3186 2016-05-26 07:02:56 +00:00			`// String returns a strongly random string of characters (taken from`
lib/util: Add secure random numbers source (fixes #3178) The math/rand package contains lots of convenient functions, for example to get an integer in a specified range without running into issues caused by just truncating a number from a different distribution and so on. But it's insecure, and we use if for things that benefit from being more secure like session IDs, CSRF tokens and API keys. This implements a math/rand.Source that reads from crypto/rand.Reader, this bridging the gap between them. It also updates our RandomString to use the new source, thus giving us secure session IDs and CSRF tokens. Some future work remains: - Fix API keys by making the generation in the UI use this code as well - Refactor out these things into an actual random package, and audit our use of randomness everywhere I'll leave both of those for the future in order to not muddy the waters on this diff... GitHub-Pull-Request: https://github.com/syncthing/syncthing/pull/3180 2016-05-25 06:38:38 +00:00			`// randomCharset) of the specified length. The returned string contains ~5.8`
			`// bits of entropy per character, due to the character set used.`
lib/rand: Break out random functions into separate package The intention for this package is to provide a combination of the security of crypto/rand and the convenience of math/rand. It should be the first choice of random data unless ultimate performance is required and the usage is provably irrelevant from a security standpoint. GitHub-Pull-Request: https://github.com/syncthing/syncthing/pull/3186 2016-05-26 07:02:56 +00:00			`func String(l int) string {`
Refactor random string stuff and seeding Make sure we have a good random seed on the default RNG, that the predictable RNG is clearly marked as such, that random strings are actually the length requested, and that they contain a restricted set of characters only. 2014-12-07 15:41:24 +00:00			`bs := make([]byte, l)`
			`for i := range bs {`
lib/util: Add secure random numbers source (fixes #3178) The math/rand package contains lots of convenient functions, for example to get an integer in a specified range without running into issues caused by just truncating a number from a different distribution and so on. But it's insecure, and we use if for things that benefit from being more secure like session IDs, CSRF tokens and API keys. This implements a math/rand.Source that reads from crypto/rand.Reader, this bridging the gap between them. It also updates our RandomString to use the new source, thus giving us secure session IDs and CSRF tokens. Some future work remains: - Fix API keys by making the generation in the UI use this code as well - Refactor out these things into an actual random package, and audit our use of randomness everywhere I'll leave both of those for the future in order to not muddy the waters on this diff... GitHub-Pull-Request: https://github.com/syncthing/syncthing/pull/3180 2016-05-25 06:38:38 +00:00			`bs[i] = randomCharset[defaultSecureRand.Intn(len(randomCharset))]`
Refactor random string stuff and seeding Make sure we have a good random seed on the default RNG, that the predictable RNG is clearly marked as such, that random strings are actually the length requested, and that they contain a restricted set of characters only. 2014-12-07 15:41:24 +00:00			`}`
			`return string(bs)`
			`}`

lib/rand: Break out random functions into separate package The intention for this package is to provide a combination of the security of crypto/rand and the convenience of math/rand. It should be the first choice of random data unless ultimate performance is required and the usage is provably irrelevant from a security standpoint. GitHub-Pull-Request: https://github.com/syncthing/syncthing/pull/3186 2016-05-26 07:02:56 +00:00			`// Int63 returns a strongly random int63`
			`func Int63() int64 {`
			`return defaltSecureSource.Int63()`
			`}`

			`// Int64 returns a strongly random int64`
			`func Int64() int64 {`
Refactor random string stuff and seeding Make sure we have a good random seed on the default RNG, that the predictable RNG is clearly marked as such, that random strings are actually the length requested, and that they contain a restricted set of characters only. 2014-12-07 15:41:24 +00:00			`var bs [8]byte`
Include error in randomness failure panic 2014-12-08 18:40:38 +00:00			`_, err := io.ReadFull(cryptoRand.Reader, bs[:])`
			`if err != nil {`
			`panic("randomness failure: " + err.Error())`
Refactor random string stuff and seeding Make sure we have a good random seed on the default RNG, that the predictable RNG is clearly marked as such, that random strings are actually the length requested, and that they contain a restricted set of characters only. 2014-12-07 15:41:24 +00:00			`}`
lib/rand: Break out random functions into separate package The intention for this package is to provide a combination of the security of crypto/rand and the convenience of math/rand. It should be the first choice of random data unless ultimate performance is required and the usage is provably irrelevant from a security standpoint. GitHub-Pull-Request: https://github.com/syncthing/syncthing/pull/3186 2016-05-26 07:02:56 +00:00			`return int64(binary.BigEndian.Uint64(bs[:]))`
			`}`

			`// Intn returns, as an int, a non-negative strongly random number in [0,n).`
			`// It panics if n <= 0.`
			`func Intn(n int) int {`
			`return defaultSecureRand.Intn(n)`
Refactor random string stuff and seeding Make sure we have a good random seed on the default RNG, that the predictable RNG is clearly marked as such, that random strings are actually the length requested, and that they contain a restricted set of characters only. 2014-12-07 15:41:24 +00:00			`}`

lib/connections: Refactor address listing into connection service 2016-03-25 07:35:18 +00:00			`// SeedFromBytes calculates a weak 64 bit hash from the given byte slice,`
Refactor random string stuff and seeding Make sure we have a good random seed on the default RNG, that the predictable RNG is clearly marked as such, that random strings are actually the length requested, and that they contain a restricted set of characters only. 2014-12-07 15:41:24 +00:00			`// suitable for use a predictable random seed.`
lib/connections: Refactor address listing into connection service 2016-03-25 07:35:18 +00:00			`func SeedFromBytes(bs []byte) int64 {`
Refactor random string stuff and seeding Make sure we have a good random seed on the default RNG, that the predictable RNG is clearly marked as such, that random strings are actually the length requested, and that they contain a restricted set of characters only. 2014-12-07 15:41:24 +00:00			`h := md5.New()`
all: Revert the underscore sillyness 2019-02-02 11:16:27 +00:00			`h.Write(bs)`
Refactor random string stuff and seeding Make sure we have a good random seed on the default RNG, that the predictable RNG is clearly marked as such, that random strings are actually the length requested, and that they contain a restricted set of characters only. 2014-12-07 15:41:24 +00:00			`s := h.Sum(nil)`
			`// The MD5 hash of the byte slice is 16 bytes long. We interpret it as two`
			`// uint64s and XOR them together.`
			`return int64(binary.BigEndian.Uint64(s[0:]) ^ binary.BigEndian.Uint64(s[8:]))`
			`}`