mirrors/talos
1
0
Fork 0
mirror of https://github.com/siderolabs/talos.git synced 2025-08-21 14:41:12 +02:00
Code Issues Packages Projects Releases Wiki Activity

fix(init): secret data at rest encryption key should be truly random (#797)

Browse Source 
First, use cryptographically secure random number generator.

Second, generate random 32 bytes, don't limit them to any range, as
they're going to be base64-encoded anyways.

Signed-off-by: Andrey Smirnov <smirnov.andrey@gmail.com>
This commit is contained in:
Andrey Smirnov 2019-06-28 17:57:51 +03:00 committed by GitHub
parent 18f59d8f0b
commit 6b0a66b514
No known key found for this signature in database
GPG Key ID: 4AEE18F83AFDEB23
1 changed files with 5 additions and 14 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

19
internal/app/init/internal/security/cis/cis.go
View File

@ -6,12 +6,11 @@ package cis
import ( import (
"bytes" "bytes"
"crypto/rand"
"encoding/base64" "encoding/base64"
"io/ioutil" "io/ioutil"
"math/rand"
"os" "os"
"text/template" "text/template"
"time"
"github.com/talos-systems/talos/internal/pkg/constants" "github.com/talos-systems/talos/internal/pkg/constants"
@ -64,20 +63,12 @@ func CreateEncryptionToken() error {
return nil return nil
} }
random := func(min, max int) int { encryptionKey := make([]byte, 32)
return rand.Intn(max-min) + min if _, err := rand.Read(encryptionKey); err != nil {
return err
} }
var encryptionKeySecret string
seed := time.Now().Unix()
rand.Seed(seed)
for i := 0; i < 32; i++ {
n := random(0, 94)
start := "!"
encryptionKeySecret += string(start[0] + byte(n))
}
data := []byte(encryptionKeySecret)
str := base64.StdEncoding.EncodeToString(data) str := base64.StdEncoding.EncodeToString(encryptionKey)
aux := struct { aux := struct {
AESCBCEncryptionSecret string AESCBCEncryptionSecret string
}{ }{