From 94ccc95515981cdbf44251b7abed13c57a089146 Mon Sep 17 00:00:00 2001 From: Nick Craig-Wood Date: Fri, 24 Nov 2023 10:05:53 +0000 Subject: [PATCH] random: stop using deprecated rand.Seed in go1.20 and later --- lib/random/random.go | 16 ---------------- lib/random/random_seed.go | 17 +++++++++++++++++ lib/random/random_seed_old.go | 29 +++++++++++++++++++++++++++++ 3 files changed, 46 insertions(+), 16 deletions(-) create mode 100644 lib/random/random_seed.go create mode 100644 lib/random/random_seed_old.go diff --git a/lib/random/random.go b/lib/random/random.go index 19ed44458..8a7dfa077 100644 --- a/lib/random/random.go +++ b/lib/random/random.go @@ -67,19 +67,3 @@ func Password(bits int) (password string, err error) { password = base64.RawURLEncoding.EncodeToString(pw) return password, nil } - -// Seed the global math/rand with crypto strong data -// -// This doesn't make it OK to use math/rand in crypto sensitive -// environments - don't do that! However it does help to mitigate the -// problem if that happens accidentally. This would have helped with -// CVE-2020-28924 - #4783 -func Seed() error { - var seed int64 - err := binary.Read(cryptorand.Reader, binary.LittleEndian, &seed) - if err != nil { - return fmt.Errorf("failed to read random seed: %w", err) - } - mathrand.Seed(seed) - return nil -} diff --git a/lib/random/random_seed.go b/lib/random/random_seed.go new file mode 100644 index 000000000..c0c165779 --- /dev/null +++ b/lib/random/random_seed.go @@ -0,0 +1,17 @@ +//go:build go1.20 + +package random + +// Seed the global math/rand with crypto strong data +// +// This doesn't make it OK to use math/rand in crypto sensitive +// environments - don't do that! However it does help to mitigate the +// problem if that happens accidentally. This would have helped with +// CVE-2020-28924 - #4783 +// +// As of Go 1.20 there is no reason to call math/rand.Seed with a +// random value as it is self seeded to a random 64 bit number so this +// does nothing. +func Seed() error { + return nil +} diff --git a/lib/random/random_seed_old.go b/lib/random/random_seed_old.go new file mode 100644 index 000000000..8fce03ec3 --- /dev/null +++ b/lib/random/random_seed_old.go @@ -0,0 +1,29 @@ +//go:build !go1.20 + +package random + +import ( + cryptorand "crypto/rand" + "encoding/binary" + "fmt" + mathrand "math/rand" +) + +// Seed the global math/rand with crypto strong data +// +// This doesn't make it OK to use math/rand in crypto sensitive +// environments - don't do that! However it does help to mitigate the +// problem if that happens accidentally. This would have helped with +// CVE-2020-28924 - #4783 +// +// As of Go 1.20 there is no reason to call math/rand.Seed with a +// random value as it is self seeded to a random 64 bit number. +func Seed() error { + var seed int64 + err := binary.Read(cryptorand.Reader, binary.LittleEndian, &seed) + if err != nil { + return fmt.Errorf("failed to read random seed: %w", err) + } + mathrand.Seed(seed) + return nil +}