vault: use OsRng for AES-GCM IV and salt generation

Replace rand::random() with rand::rngs::OsRng for cryptographic nonce
and salt generation in encryption.rs. rand::random() uses thread-local
RNG which may not be a CSPRNG on all platforms; OsRng reads from the
OS entropy source, preventing catastrophic IV reuse under AES-GCM.

Drift item #1 (security-critical).
This commit is contained in:
2026-06-23 13:09:07 +00:00
parent 098fd8b9b9
commit f43246b978

View File

@@ -37,6 +37,7 @@ use aes_gcm::{
aead::{Aead, KeyInit}, aead::{Aead, KeyInit},
Aes256Gcm, Nonce, Aes256Gcm, Nonce,
}; };
use rand::{rngs::OsRng, RngCore};
use serde::{Deserialize, Serialize}; use serde::{Deserialize, Serialize};
use zeroize::Zeroize; use zeroize::Zeroize;
@@ -129,12 +130,14 @@ pub fn encrypt(plaintext: &str, key: &EncryptionKey) -> Result<EncryptedData, En
let cipher = Aes256Gcm::new_from_slice(&key.key_bytes) let cipher = Aes256Gcm::new_from_slice(&key.key_bytes)
.map_err(|e| EncryptionError::Encryption(format!("invalid key length: {e}")))?; .map_err(|e| EncryptionError::Encryption(format!("invalid key length: {e}")))?;
// Generate random IV (12 bytes for AES-GCM) // Generate random IV (12 bytes for AES-GCM) using OsRng CSPRNG
let iv_bytes: [u8; 12] = rand::random(); let mut iv_bytes = [0u8; 12];
OsRng.fill_bytes(&mut iv_bytes);
let nonce = Nonce::from_slice(&iv_bytes); let nonce = Nonce::from_slice(&iv_bytes);
// TODO(Phase B): Use salt in HKDF-based key derivation // TODO(Phase B): Use salt in HKDF-based key derivation
let salt_bytes: [u8; 32] = rand::random(); let mut salt_bytes = [0u8; 32];
OsRng.fill_bytes(&mut salt_bytes);
let ciphertext = cipher let ciphertext = cipher
.encrypt(nonce, plaintext.as_bytes()) .encrypt(nonce, plaintext.as_bytes())