Merge pull request #3 from Oneiroi/entropy_enhancements

Quick and probably nasty kludge to introduce increased entropy method…
Quiq · Jun 29, 2022 · a36d0f0 · a36d0f0
2 parents 7538843 + f7f4776
commit a36d0f0
Show file tree

Hide file tree

Showing 2 changed files with 10 additions and 21 deletions.
diff --git a/main.go b/main.go
@@ -79,7 +79,6 @@ func main() {
 
 	loginError = WebAuthnError{Message: "Unable to login"}
 	registrationError = WebAuthnError{Message: "Error during registration"}
-	util.RandInit()
 
 	users = make(map[string]u.User)
 	registrations = make(map[string]u.User)
@@ -179,7 +178,7 @@ func main() {
 			}
 			webAuthns[rpOrigin] = webAuthn
 
-			var sessionStoreKey = util.RandStringBytesRmndr(32)
+			var sessionStoreKey = []byte(util.GenChallenge())
 			var sessionStore = sessions.NewCookieStore(sessionStoreKey)
 			// Sessions maintained for up to soft timeout limit
 			sessionStore.Options = &sessions.Options{
@@ -611,7 +610,7 @@ func checkOrigin(r *http.Request) (*webauthn.WebAuthn, *sessions.CookieStore, er
 		}
 		webAuthns[origin] = webAuthn
 
-		var sessionStoreKey = util.RandStringBytesRmndr(32)
+		var sessionStoreKey = []byte(util.GenChallenge())
 		var sessionStore = sessions.NewCookieStore(sessionStoreKey)
 		// Sessions maintained for up to soft timeout limit
 		sessionStore.Options = &sessions.Options{

diff --git a/util/util.go b/util/util.go
@@ -1,19 +1,17 @@
 package util
 
 import (
+	"encoding/base64"
 	"encoding/json"
 	"errors"
 	"fmt"
 	"log"
 	"net/http"
 	"regexp"
 
+	"github.com/duo-labs/webauthn/protocol"
 	"github.com/duo-labs/webauthn/webauthn"
 	"github.com/gorilla/sessions"
-
-	crypto_rand "crypto/rand"
-	"encoding/binary"
-	math_rand "math/rand"
 )
 
 const letterBytes = "abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ"
@@ -86,20 +84,12 @@ func SaveWebauthnSession(session *sessions.Session, key string, sessionData *web
 	return nil
 }
 
-func RandInit() {
-	var b [8]byte
-	_, err := crypto_rand.Read(b[:])
+// Generate crytographically secure challenge
+func GenChallenge() string {
+	//call on the import DUO method
+	challenge, err := protocol.CreateChallenge()
 	if err != nil {
-		panic("cannot seed math/rand package with cryptographically secure random number generator")
-	}
-	math_rand.Seed(int64(binary.LittleEndian.Uint64(b[:])))
-}
-
-// Generate a random string of alpha characters of length n
-func RandStringBytesRmndr(n int) []byte {
-	b := make([]byte, n)
-	for i := range b {
-		b[i] = letterBytes[math_rand.Int63()%int64(len(letterBytes))]
+		panic("Failed to generate cryographically secure challenge")
 	}
-	return b
+	return base64.RawURLEncoding.EncodeToString(challenge)
 }