secure key generation

Former-commit-id: 65ac66cff7b8729207045754674d5768c709c850 [formerly ffe758e02f53a68f4e5e141d9697667293eea3db] [formerly b4c075bca9f7b1ebac7bf798e3f694059df6f34c [formerly eb01267643]]
Former-commit-id: ccf78e5c6ca1d7be8125031dd905b57adab6ddb0 [formerly 7776566a9d8f1861b84ffdfe70bd49e506371845]
Former-commit-id: 51ddf89483b176a0b35df85dc7d4b1b60edcff64

auth.go

@@ -1,8 +1,8 @@
 package filemanager
 
 import (
+	"crypto/rand"
 	"encoding/json"
-	"math/rand"
 	"net/http"
 	"strings"
 	"time"
@@ -147,15 +147,17 @@ func checkPasswordHash(password, hash string) bool {
 	return err == nil
 }
 
-const charset = "abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ0123456789"
-
-// randomString creates a string with a defined length using the above charset.
-func randomString(length int) string {
-	seededRand := rand.New(rand.NewSource(time.Now().UnixNano()))
-
-	b := make([]byte, length)
-	for i := range b {
-		b[i] = charset[seededRand.Intn(len(charset))]
+// generateRandomBytes returns securely generated random bytes.
+// It will return an error if the system's secure random
+// number generator fails to function correctly, in which
+// case the caller should not continue.
+func generateRandomBytes(n int) ([]byte, error) {
+	b := make([]byte, n)
+	_, err := rand.Read(b)
+	// Note that err == nil only if we read len(b) bytes.
+	if err != nil {
+		return nil, err
 	}
-	return string(b)
+
+	return b, nil
 }

filemanager.go

@@ -163,7 +163,13 @@ func New(database string, base User) (*FileManager, error) {
 	// If it doesn't exist, create a new one of 256 bits.
 	err = db.Get("config", "key", &m.key)
 	if err != nil && err == storm.ErrNotFound {
-		m.key = []byte(randomString(64))
+		var bytes []byte
+		bytes, err = generateRandomBytes(64)
+		if err != nil {
+			return nil, err
+		}
+
+		m.key = bytes
 		err = db.Set("config", "key", m.key)
 	}