mirrors/utls
1
0
Fork 0
mirror of https://github.com/refraction-networking/utls.git synced 2025-04-03 03:57:36 +03:00
Code Issues Projects Releases Packages Wiki Activity

security: crypto/rand ShuffleChromeTLSExtensions (#286)

Browse source 
`math/rand` might not be randomly seeded as documented on some platforms, including wasm.

Signed-off-by: Gaukas Wang <i@gaukas.wang>
This commit is contained in:
Gaukas Wang 2024-02-21 14:40:15 -07:00 committed by GitHub
parent d2768e4eaa
commit 3d4788c54d
No known key found for this signature in database
GPG key ID: B5690EEEBB952194
1 changed files with 21 additions and 6 deletions
Download patch file Download diff file Expand all files Collapse all files

27
u_parrots.go
View file

@ -6,11 +6,14 @@ package tls
import ( import (
"crypto/ecdh" "crypto/ecdh"
crand "crypto/rand"
"crypto/sha256" "crypto/sha256"
"encoding/binary" "encoding/binary"
"errors" "errors"
"fmt" "fmt"
"io" "io"
"math"
"math/big"
"math/rand" "math/rand"
"sort" "sort"
"strconv" "strconv"
@ -2558,12 +2561,24 @@ func ShuffleChromeTLSExtensions(exts []TLSExtension) []TLSExtension {
} }
// Shuffle other extensions // Shuffle other extensions
rand.Shuffle(len(exts), func(i, j int) { randInt64, err := crand.Int(crand.Reader, big.NewInt(math.MaxInt64))
if skipShuf(i, exts) || skipShuf(j, exts) { if err != nil {
return // do not shuffle some of the extensions // warning: random could be deterministic
} rand.Shuffle(len(exts), func(i, j int) {
exts[i], exts[j] = exts[j], exts[i] if skipShuf(i, exts) || skipShuf(j, exts) {
}) return // do not shuffle some of the extensions
}
exts[i], exts[j] = exts[j], exts[i]
})
fmt.Println("Warning: failed to use a cryptographically secure random number generator. The shuffle can be deterministic.")
} else {
rand.New(rand.NewSource(randInt64.Int64())).Shuffle(len(exts), func(i, j int) {
if skipShuf(i, exts) || skipShuf(j, exts) {
return // do not shuffle some of the extensions
}
exts[i], exts[j] = exts[j], exts[i]
})
}
return exts return exts
} }