(GSC-G404) Audit the random number generation source (rand)

[ii64]

Self note

decide random library to use math/rand or crypto/rand ???

Description

math/rand is much faster for applications that don’t need crypto-level or security-related random data generation. crypto/rand is suited for secure and crypto-ready usage, but it’s slower. It is highly recommended to use crypto/rand when needing to be secure with random numbers such as generating session ID in a web application. …

Occurrences

There is 1 occurrence of this issue in the repository.

See all occurrences on DeepSource → deepsource.io/gh/ii64/tanem/issue/GSC-G404/occurrences/

[ii64]

Reference

http://en.wikipedia.org/wiki/Lagged_Fibonacci_generator

https://groups.google.com/g/golang-nuts/c/RZ1G3_cxMcM

https://forum.golangbridge.org/t/go-math-rand-algorithm/13142/5

https://appliedgo.net/random/

https://security.stackexchange.com/questions/3936/is-a-rand-from-dev-urandom-secure-for-a-login-key

https://golang.org/src/math/rand/rng.go

https://golang.org/src/math/rand/rand.go

var globalRand = New(&lockedSource{src: NewSource(1).(*rngSource)})

// Read generates len(p) random bytes and writes them into p. It
// always returns len(p) and a nil error.
// Read should not be called concurrently with any other Rand method.
func (r *Rand) Read(p []byte) (n int, err error) {
	if lk, ok := r.src.(*lockedSource); ok {
		return lk.read(p, &r.readVal, &r.readPos)
	}
	return read(p, r.src, &r.readVal, &r.readPos)
}

func read(p []byte, src Source, readVal *int64, readPos *int8) (n int, err error) {
	pos := *readPos
	val := *readVal
	rng, _ := src.(*rngSource)
	for n = 0; n < len(p); n++ {
		if pos == 0 {
			if rng != nil {
				val = rng.Int63()
			} else {
				val = src.Int63()
			}
			pos = 7
		}
		p[n] = byte(val)
		val >>= 8
		pos--
	}
	*readPos = pos
	*readVal = val
	return
}

// Read generates len(p) random bytes from the default Source and
// writes them into p. It always returns len(p) and a nil error.
// Read, unlike the Rand.Read method, is safe for concurrent use.
func Read(p []byte) (n int, err error) { return globalRand.Read(p) }