Commit 3640a003 authored by ale's avatar ale

Make random value generation safer

Panic on short reads and other errors.
parent e124bf26
Pipeline #648 passed with stages
in 1 minute and 19 seconds
package httpsso
import (
"crypto/rand"
"encoding/gob"
"encoding/hex"
"io"
"math/rand"
"log"
"net/http"
"net/url"
"strings"
......@@ -95,6 +96,7 @@ func (s *SSOWrapper) handleLogin(w http.ResponseWriter, req *http.Request, sessi
// Pop the nonce from the session.
nonce, ok := session.Values["nonce"].(string)
if !ok || nonce == "" {
log.Printf("got login request without nonce")
http.Error(w, "Missing nonce", http.StatusBadRequest)
return
}
......@@ -102,6 +104,7 @@ func (s *SSOWrapper) handleLogin(w http.ResponseWriter, req *http.Request, sessi
tkt, err := s.v.Validate(t, nonce, service, groups)
if err != nil {
log.Printf("validation error for token %s: %v", t, err)
http.Error(w, err.Error(), http.StatusBadRequest)
return
}
......@@ -171,7 +174,7 @@ func getFullURL(req *http.Request, scheme string) *url.URL {
func makeUniqueNonce() string {
var b [8]byte
if _, err := rand.Read(b[:]); err != nil {
if _, err := io.ReadFull(rand.Reader, b[:]); err != nil {
panic(err)
}
return hex.EncodeToString(b[:])
......
......@@ -8,6 +8,7 @@ import (
"encoding/xml"
"errors"
"fmt"
"io"
"io/ioutil"
"net/http"
"net/url"
......@@ -208,7 +209,7 @@ func NewSAMLIDP(config *Config) (http.Handler, error) {
func randomBytes(n int) []byte {
b := make([]byte, n)
if _, err := rand.Read(b); err != nil {
if _, err := io.ReadFull(rand.Reader, b[:]); err != nil {
panic(err)
}
return b
......
......@@ -3,6 +3,7 @@ package device
import (
"crypto/rand"
"encoding/hex"
"io"
"log"
"net"
"net/http"
......@@ -15,7 +16,9 @@ import (
func randomDeviceID() string {
b := make([]byte, 8)
rand.Read(b)
if _, err := io.ReadFull(rand.Reader, b[:]); err != nil {
panic(err)
}
return hex.EncodeToString(b)
}
......
package server
import (
"crypto/rand"
"fmt"
"io/ioutil"
"os"
......@@ -12,7 +11,7 @@ import (
)
func testConfig(t testing.TB, tmpdir string) *Config {
pub, priv, err := ed25519.GenerateKey(rand.Reader)
pub, priv, err := ed25519.GenerateKey(nil)
if err != nil {
t.Fatal(err)
}
......
package sso
import (
"crypto/rand"
"testing"
"time"
......@@ -9,7 +8,7 @@ import (
)
func TestEd25519(t *testing.T) {
pub, priv, err := ed25519.GenerateKey(rand.Reader)
pub, priv, err := ed25519.GenerateKey(nil)
if err != nil {
t.Fatal(err)
}
......
Markdown is supported
0% or .
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment