From d094cb7c5c2ba7259c290611d0672837268ea46e Mon Sep 17 00:00:00 2001 From: Jonas Pfenniger Date: Wed, 23 Oct 2013 10:58:48 +0100 Subject: [PATCH 1/3] Fixes missing entropy in the uuid package. math/crypto is seeded with 1 and thus will create predictable UUIDs. Because amazon-instance and amazon-ebs in the same second when building both targets the timestamp in front doesn't help either. See #552 --- common/uuid/uuid.go | 17 +++++++++++++---- 1 file changed, 13 insertions(+), 4 deletions(-) diff --git a/common/uuid/uuid.go b/common/uuid/uuid.go index 496a2f6ef..0f6cf11b6 100644 --- a/common/uuid/uuid.go +++ b/common/uuid/uuid.go @@ -2,17 +2,26 @@ package uuid import ( "fmt" - "math/rand" + "crypto/rand" + "encoding/binary" "time" ) +func uint32rand() (value uint32) { + err := binary.Read(rand.Reader, binary.LittleEndian, &value) + if err != nil { + panic(err) + } + return +} + // Generates a time ordered UUID. Top 32 bits are a timestamp, // bottom 96 are random. func TimeOrderedUUID() string { unix := uint32(time.Now().UTC().Unix()) - rand1 := rand.Uint32() - rand2 := rand.Uint32() - rand3 := rand.Uint32() + rand1 := uint32rand() + rand2 := uint32rand() + rand3 := uint32rand() return fmt.Sprintf("%08x-%04x-%04x-%04x-%04x%08x", unix, uint16(rand1>>16), From 19b1bdee98051d2ea8d0b66b68bfa930b7af2335 Mon Sep 17 00:00:00 2001 From: Jonas Pfenniger Date: Wed, 23 Oct 2013 23:05:02 +0100 Subject: [PATCH 2/3] Simplifies the implementation of common/uuid --- common/uuid/uuid.go | 30 +++++++++++------------------- 1 file changed, 11 insertions(+), 19 deletions(-) diff --git a/common/uuid/uuid.go b/common/uuid/uuid.go index 0f6cf11b6..d8b9830be 100644 --- a/common/uuid/uuid.go +++ b/common/uuid/uuid.go @@ -1,32 +1,24 @@ package uuid import ( - "fmt" "crypto/rand" - "encoding/binary" + "fmt" "time" ) -func uint32rand() (value uint32) { - err := binary.Read(rand.Reader, binary.LittleEndian, &value) - if err != nil { - panic(err) - } - return -} - // Generates a time ordered UUID. Top 32 bits are a timestamp, // bottom 96 are random. func TimeOrderedUUID() string { unix := uint32(time.Now().UTC().Unix()) - rand1 := uint32rand() - rand2 := uint32rand() - rand3 := uint32rand() + + b := make([]byte, 12) + n, err := rand.Read(b) + if n != len(b) { + err = fmt.Errorf("Not enough entropy available") + } + if err != nil { + panic(err) + } return fmt.Sprintf("%08x-%04x-%04x-%04x-%04x%08x", - unix, - uint16(rand1>>16), - uint16(rand1&0xffff), - uint16(rand2>>16), - uint16(rand2&0xffff), - rand3) + unix, b[0:2], b[2:4], b[4:6], b[6:8], b[8:]) } From 8df4c991df83386e5c18ad808551dafb5cad1b62 Mon Sep 17 00:00:00 2001 From: Matthew Hooker Date: Wed, 23 Oct 2013 15:26:35 -0700 Subject: [PATCH 3/3] Update CHANGELOG --- CHANGELOG.md | 4 ++++ 1 file changed, 4 insertions(+) diff --git a/CHANGELOG.md b/CHANGELOG.md index ea19b59ab..0f1dd2099 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -1,5 +1,9 @@ ## 0.4.0 (unreleased) +BUG FIXES: + +* common/uuid: Use cryptographically secure PRNG when generating + UUIDs. [GH-552] ## 0.3.10 (October 20, 2013)