From 6f901a31635829c59ec77c98f8074b03716d2598 Mon Sep 17 00:00:00 2001
From: Ian Shim <shim@fastmail.com>
Date: Tue, 22 Oct 2024 21:18:05 -0700
Subject: [PATCH] replace math/rand with crypto/rand for generating challenge

---
 disperser/apiserver/server.go | 12 ++++++++++--
 1 file changed, 10 insertions(+), 2 deletions(-)

diff --git a/disperser/apiserver/server.go b/disperser/apiserver/server.go
index 18cd71ac1d..273f466ec9 100644
--- a/disperser/apiserver/server.go
+++ b/disperser/apiserver/server.go
@@ -2,9 +2,10 @@ package apiserver
 
 import (
 	"context"
+	"crypto/rand"
+	"encoding/binary"
 	"errors"
 	"fmt"
-	"math/rand"
 	"net"
 	"slices"
 	"strings"
@@ -146,7 +147,14 @@ func (s *DispersalServer) DisperseBlobAuthenticated(stream pb.Disperser_Disperse
 	authenticatedAddress := crypto.PubkeyToAddress(*pubKey).String()
 
 	// Send back challenge to client
-	challenge := rand.Uint32()
+	challengeBytes := make([]byte, 32)
+	_, err = rand.Read(challengeBytes)
+	if err != nil {
+		s.metrics.HandleInvalidArgRpcRequest("DisperseBlobAuthenticated")
+		s.metrics.HandleInvalidArgRequest("DisperseBlobAuthenticated")
+		return api.NewInvalidArgError(fmt.Sprintf("failed to generate challenge: %v", err))
+	}
+	challenge := binary.LittleEndian.Uint32(challengeBytes)
 	err = stream.Send(&pb.AuthenticatedReply{Payload: &pb.AuthenticatedReply_BlobAuthHeader{
 		BlobAuthHeader: &pb.BlobAuthHeader{
 			ChallengeParameter: challenge,