fix: Replace "math/rand" with "crypto/rand" in padding generation(#2032)

2026-04-20 04:29:32 -04:00 · 2022-10-06 18:21:09 +08:00
parent 5e8f5b38b6
commit a4a3f4deec
1 changed files with 3 additions and 2 deletions
--- a/common/crypto/auth.go
+++ b/common/crypto/auth.go
@@ -2,8 +2,8 @@ package crypto

 import (
 	"crypto/cipher"
+	"crypto/rand"
 	"io"
-	"math/rand"

 	"github.com/v2fly/v2ray-core/v5/common"
 	"github.com/v2fly/v2ray-core/v5/common/buf"
@@ -262,7 +262,8 @@ func (w *AuthenticationWriter) seal(b []byte) (*buf.Buffer, error) {
 		return nil, err
 	}
 	if paddingSize > 0 {
-		// With size of the chunk and padding length encrypted, the content of padding doesn't matter much.
+		// These paddings will send in clear text.
+		// To avoid leakage of PRNG internal state, a cryptographically secure PRNG should be used.
 		paddingBytes := eb.Extend(paddingSize)
 		common.Must2(rand.Read(paddingBytes))
 	}