Skip to content

Commit

Permalink
fix: Replace "math/rand" with "crypto/rand" in padding generation(#2032)
Browse files Browse the repository at this point in the history
  • Loading branch information
nlzy authored Oct 6, 2022
1 parent 5e8f5b3 commit a4a3f4d
Showing 1 changed file with 3 additions and 2 deletions.
5 changes: 3 additions & 2 deletions common/crypto/auth.go
Original file line number Diff line number Diff line change
Expand Up @@ -2,8 +2,8 @@ package crypto

import (
"crypto/cipher"
"crypto/rand"
"io"
"math/rand"

"github.com/v2fly/v2ray-core/v5/common"
"github.com/v2fly/v2ray-core/v5/common/buf"
Expand Down Expand Up @@ -262,7 +262,8 @@ func (w *AuthenticationWriter) seal(b []byte) (*buf.Buffer, error) {
return nil, err
}
if paddingSize > 0 {
// With size of the chunk and padding length encrypted, the content of padding doesn't matter much.
// These paddings will send in clear text.
// To avoid leakage of PRNG internal state, a cryptographically secure PRNG should be used.
paddingBytes := eb.Extend(paddingSize)
common.Must2(rand.Read(paddingBytes))
}
Expand Down

0 comments on commit a4a3f4d

Please sign in to comment.