anytype-heart
anytype-heart copied to clipboard
Published
20 hours ago •
anyproto
anyproto
use crypto safe prng for session seed
- [x] I understand that contributing to this repository will require me to agree with the CLA
Description
This PR replaces math/rand with crypto/rand when generating seed. The math/rand is using LFG without cryptography guarantee. Seed format is changed by adding 8 more bytes, but should be safe since it's not used yet.
Risk of panic() seems acceptable, because it only happens under these scenarios, and those would almost crash other parts of the application first:
- *nix: Raise error if open or read
/dev/urandomread failed. - Windows: Call to RtlGenRandom failed. Discussed in golang/go#33542 and seems only fail if "a size addition overflows", which seems hard in this case.
- Javascript: Never fail
So I think it won't panic under most cases.
What type of PR is this? (check all applicable)
- [x] 🍕 Feature
- [ ] 🐛 Bug Fix
- [ ] 📝 Documentation Update
- [ ] 🎨 Style
- [ ] 🧑💻 Code Refactor
- [ ] 🔥 Performance Improvements
- [ ] ✅ Test
- [ ] 🤖 Build
- [ ] 🔁 CI
Related Tickets & Documents
N/A
Mobile & Desktop Screenshots/Recordings
N/A
Added tests?
- [ ] 👍 yes
- [x] 🙅 no, because they aren't needed
- [ ] 🙋 no, because I need help
Added to documentation?
- [ ] 📜 README.md
- [ ] 📓 tech-docs
- [x] 🙅 no documentation needed
