fix(battle-node): NodeCrypto.GenerateKey masks rand source with & 0xF

2026-06-01 11:35:53 -04:00
parent e4fbb155e4
commit 34c4ca0237
2 changed files with 20 additions and 4 deletions
--- a/SVSim.BattleNode/Wire/NodeCrypto.cs
+++ b/SVSim.BattleNode/Wire/NodeCrypto.cs
@@ -12,9 +12,10 @@ public static class NodeCrypto
 {
    /// <summary>
    /// Generate a fresh 32-char key for server-initiated encryption.
-    /// Calls <paramref name="randHexDigit"/> 32 times expecting a value in [0,15],
-    /// formats each as a single hex char, then base64-encodes the resulting 32-char ASCII
-    /// string and truncates to 32 chars.
+    /// Calls <paramref name="randHexDigit"/> 32 times; the result is masked with
+    /// <c>&amp; 0xF</c> so a misbehaving caller that returns a larger int still produces
+    /// exactly one hex digit per iteration (the internal contract is "32 hex chars").
+    /// The 32-char ASCII string is then base64-encoded and truncated to 32 chars.
    /// </summary>
    /// <remarks>
    /// Differs from the client's <c>Cryptographer.generateKeyString</c> in input shape:
@@ -29,7 +30,7 @@ public static class NodeCrypto
        var sb = new StringBuilder(32);
        for (var i = 0; i < 32; i++)
        {
-            sb.Append(randHexDigit().ToString("x"));
+            sb.Append((randHexDigit() & 0xF).ToString("x"));
        }
        var ascii = Encoding.ASCII.GetBytes(sb.ToString());
        return Convert.ToBase64String(ascii).Substring(0, 32);