Martchus/syncthing
1
0
Fork 0
Code Issues Pull Requests Releases Wiki Activity
31b5156191
syncthing/lib
History
Jakob Borg 31b5156191 lib/util: Add secure random numbers source (fixes #3178) 
The math/rand package contains lots of convenient functions, for example
to get an integer in a specified range without running into issues
caused by just truncating a number from a different distribution and so
on. But it's insecure, and we use if for things that benefit from being
more secure like session IDs, CSRF tokens and API keys.

This implements a math/rand.Source that reads from crypto/rand.Reader,
this bridging the gap between them. It also updates our RandomString to
use the new source, thus giving us secure session IDs and CSRF tokens.

Some future work remains:

 - Fix API keys by making the generation in the UI use this code as well

 - Refactor out these things into an actual random package, and audit
   our use of randomness everywhere

I'll leave both of those for the future in order to not muddy the waters
on this diff...

GitHub-Pull-Request: https://github.com/syncthing/syncthing/pull/3180
2016-05-25 06:38:38 +00:00
..
auto build: Generate gui.files.go on the fly, remove from repo 2016-03-28 10:03:13 +00:00
beacon Remove unused struct field 2015-10-27 09:55:05 +01:00
config all: Remove execute bit for non-executable files 2016-05-17 14:39:50 +00:00
connections lib/connections: Shorten connection limiting lines 2016-05-24 21:57:56 +00:00
db lib/model: Fix accounting error in rescan with multiple subs (fixes #3028) 2016-05-09 12:56:21 +00:00
dialer lib/dialer: Add env var to disable proxy fallback (fixes #3006) 2016-04-24 16:30:20 +00:00
discover all: Correct spelling in comments 2016-05-08 10:54:22 +00:00
events cmd/syncthing: Emit new RemoteDownloadProgress event to track remote download progress 2016-05-22 07:52:08 +00:00
ignore lib/model: Handle (?d) deletes of directories (fixes #3164) 2016-05-23 23:32:08 +00:00
logger cmd/syncthing: Extract interfaces for things the API depends on 2016-03-21 19:36:08 +00:00
model lib/model: Handle (?d) deletes of directories (fixes #3164) 2016-05-23 23:32:08 +00:00
nat lib/connections: Refactor 2016-05-04 19:38:12 +00:00
osutil lib/model: Handle (?d) deletes of directories (fixes #3164) 2016-05-23 23:32:08 +00:00
pmp vendor: Replace github.com/jackpal/gateway with github.com/calmh/gateway (fixes #3142) 2016-05-22 09:04:27 +00:00
protocol lib/model: Emit LocalDiskUpdated events on detecting local changes 2016-05-19 00:19:26 +00:00
rc cmd/stbench: Add utility to run benchmark tests 2016-03-25 20:52:20 +00:00
relay lib/connections: Un-deprecate relaysEnabled (fixes #3074) 2016-05-17 00:05:38 +00:00
scanner lib/scanner: Refactor scanner.Walk API 2016-05-09 18:25:39 +00:00
signature
stats We should pass around db.Instance instead of leveldb.DB 2015-10-31 12:35:30 +01:00
symlinks
sync lib/sync: Skip the timing tests if the host timer is flaky 2016-03-27 10:41:38 +00:00
tlsutil
upgrade lib: simplify code 2016-05-18 22:47:11 +00:00
upnp lib: simplify code 2016-05-18 22:47:11 +00:00
util lib/util: Add secure random numbers source (fixes #3178) 2016-05-25 06:38:38 +00:00
versioner lib/versioner: Refactor for testing, speed up test 2016-04-15 14:26:39 +00:00