Closed EP-u-NW closed 3 years ago
Hi yes
You are right about the .nextInt(255)
and
We discovered it independently when abstracting away calls to Random.secure.
the reason for return Platform.instance.platformEntropySource().getBytes(32);
Is because on the nodejs runtime it fails to find Random.secure and a source of entropy needs to be sourced from the underlying platform.
I'll leave this issue open until the tutorials are updated with the new code 😄 But feel free to close it if you think thats not necessary.
I'll leave this issue open until the tutorials are updated with the new code 😄
Lol.. I am just waiting for it to sync up then I will do a release.
MW
While reading tutorials/rsa.md
I noticed that
seedSource.nextInt(255)
is used for seeding. Since in dartRandom.nextInt()
is exclusive, it should in my opinion beseedSource.nextInt(256)
to cover the whole value range of a unsigned 1 byte integer.If you search this repos files for
.nextInt(255)
this same thing will show up multiple times. In most places it's not cricital (examples and tutorials), but inlib\asymmetric\pkcs1.dart
andlib\asymetric\oaep.dart
it might be a serious security vulnerability.Edit: I noticed that
.nextInt(255)
was removed from the files inlib
I mentioned above just yesterday and replaced withbut not in the examples and tutorials.