From f43246b9786dade22704227ddd7b24dcf98ed4ef Mon Sep 17 00:00:00 2001 From: "glm-5.2" Date: Tue, 23 Jun 2026 13:09:07 +0000 Subject: [PATCH] vault: use OsRng for AES-GCM IV and salt generation Replace rand::random() with rand::rngs::OsRng for cryptographic nonce and salt generation in encryption.rs. rand::random() uses thread-local RNG which may not be a CSPRNG on all platforms; OsRng reads from the OS entropy source, preventing catastrophic IV reuse under AES-GCM. Drift item #1 (security-critical). --- crates/alknet-vault/src/encryption.rs | 9 ++++++--- 1 file changed, 6 insertions(+), 3 deletions(-) diff --git a/crates/alknet-vault/src/encryption.rs b/crates/alknet-vault/src/encryption.rs index b1616a0..779e0ab 100644 --- a/crates/alknet-vault/src/encryption.rs +++ b/crates/alknet-vault/src/encryption.rs @@ -37,6 +37,7 @@ use aes_gcm::{ aead::{Aead, KeyInit}, Aes256Gcm, Nonce, }; +use rand::{rngs::OsRng, RngCore}; use serde::{Deserialize, Serialize}; use zeroize::Zeroize; @@ -129,12 +130,14 @@ pub fn encrypt(plaintext: &str, key: &EncryptionKey) -> Result