mirror of
https://github.com/k3s-io/kubernetes.git
synced 2025-09-16 14:45:28 +00:00
cluster-bootstrap: make randBytes() be in constant-time
The function generates bytes in the x={0-252} range and then applies an y=(x mod 36) to obtain allowed token characters from validBootstrapTokenChars[y]. Instead of using crypto/rand.Reader, use crypto/rand.Int() that operates in the val={0-len(validBootstrapTokenChars))}. Once a random index is generated, use simple operations to obtain a random character in the a-z,0-9 character range. This makes the character generation in constant-time.
This commit is contained in:
@@ -17,9 +17,9 @@ limitations under the License.
|
||||
package util
|
||||
|
||||
import (
|
||||
"bufio"
|
||||
"crypto/rand"
|
||||
"fmt"
|
||||
"math/big"
|
||||
"regexp"
|
||||
"strings"
|
||||
|
||||
@@ -59,29 +59,21 @@ func GenerateBootstrapToken() (string, error) {
|
||||
// randBytes returns a random string consisting of the characters in
|
||||
// validBootstrapTokenChars, with the length customized by the parameter
|
||||
func randBytes(length int) (string, error) {
|
||||
// len("0123456789abcdefghijklmnopqrstuvwxyz") = 36 which doesn't evenly divide
|
||||
// the possible values of a byte: 256 mod 36 = 4. Discard any random bytes we
|
||||
// read that are >= 252 so the bytes we evenly divide the character set.
|
||||
const maxByteValue = 252
|
||||
|
||||
var (
|
||||
b byte
|
||||
err error
|
||||
token = make([]byte, length)
|
||||
max = new(big.Int).SetUint64(uint64(len(validBootstrapTokenChars)))
|
||||
)
|
||||
|
||||
reader := bufio.NewReaderSize(rand.Reader, length*2)
|
||||
for i := range token {
|
||||
for {
|
||||
if b, err = reader.ReadByte(); err != nil {
|
||||
return "", err
|
||||
}
|
||||
if b < maxByteValue {
|
||||
break
|
||||
}
|
||||
val, err := rand.Int(rand.Reader, max)
|
||||
if err != nil {
|
||||
return "", fmt.Errorf("could not generate random integer: %w", err)
|
||||
}
|
||||
|
||||
token[i] = validBootstrapTokenChars[int(b)%len(validBootstrapTokenChars)]
|
||||
// Use simple operations in constant-time to obtain a byte in the a-z,0-9
|
||||
// character range
|
||||
x := val.Uint64()
|
||||
res := x + 48 + (39 & ((9 - x) >> 8))
|
||||
token[i] = byte(res)
|
||||
}
|
||||
|
||||
return string(token), nil
|
||||
|
Reference in New Issue
Block a user