trezor · peter-sanderson · Oct 14, 2024 · Oct 14, 2024 · mroz22 · Oct 15, 2024
@@ -1,4 +1,4 @@
-import { enumUtils, getRandomNumberInRange } from '@trezor/utils';
+import { enumUtils, getWeakRandomNumberInRange } from '@trezor/utils';
 
 import type { CoinjoinRound, CoinjoinRoundOptions } from '../CoinjoinRound';
 import { EndRoundState, WabiSabiProtocolErrorCode } from '../../enums';
@@ -56,7 +56,7 @@ export const ended = (round: CoinjoinRound, { logger, network }: CoinjoinRoundOp
         // repeated input-registration will tell if they are really banned,
         // make sure that addresses registered in round are recycled (reset Infinity sentence)
         const minute = 60 * 1000;
-        const sentenceEnd = getRandomNumberInRange(5 * minute, 10 * minute);
+        const sentenceEnd = getWeakRandomNumberInRange(5 * minute, 10 * minute);
         [...inputs, ...addresses].forEach(vinvout =>
             prison.detain(vinvout, {
                 sentenceEnd,

@@ -1,4 +1,4 @@
-import { getRandomNumberInRange } from '@trezor/utils';
+import { getWeakRandomNumberInRange } from '@trezor/utils';
 
 import * as coordinator from '../coordinator';
 import * as middleware from '../middleware';
@@ -56,7 +56,7 @@ const registerInput = async (
     // setup random delay for registration request. we want each input to be registered in different time as different TOR identity
     // note that this may cause that the input will not be registered if phase change before expected deadline
     const deadline = round.phaseDeadline - Date.now() - ROUND_SELECTION_REGISTRATION_OFFSET;
-    const delay = deadline > 0 ? getRandomNumberInRange(0, deadline) : 0;
+    const delay = deadline > 0 ? getWeakRandomNumberInRange(0, deadline) : 0;
     logger.info(
         `Trying to register ~~${input.outpoint}~~ to ~~${round.id}~~ with delay ${delay}ms and deadline ${round.phaseDeadline}`,
     );

@@ -1,5 +1,5 @@
 import { bufferutils, Transaction, Network } from '@trezor/utxo-lib';
-import { getRandomNumberInRange } from '@trezor/utils';
+import { getWeakRandomNumberInRange } from '@trezor/utils';
 
 import {
     COORDINATOR_FEE_RATE_FALLBACK,
@@ -88,7 +88,7 @@ export const scheduleDelay = (
     // and at most 1 sec before the calculated max (so there's room for randomness)
     const min = clamp(minimumDelay, 0, max - 1000);
 
-    return getRandomNumberInRange(min, max);
+    return getWeakRandomNumberInRange(min, max);
 };
 
 // NOTE: deadlines are not accurate. phase may change earlier

@@ -188,7 +188,7 @@ describe(`CoinjoinRound`, () => {
 
     it('onPhaseChange lock cool off resolved', async () => {
         const delayMock = jest
-            .spyOn(trezorUtils, 'getRandomNumberInRange')
+            .spyOn(trezorUtils, 'getWeakRandomNumberInRange')
             .mockImplementation(() => 800);
 
         const constantsMock = jest
@@ -396,7 +396,7 @@ describe(`CoinjoinRound`, () => {
 
     it('unregisterAccount when round is locked', async () => {
         const delayMock = jest
-            .spyOn(trezorUtils, 'getRandomNumberInRange')
+            .spyOn(trezorUtils, 'getWeakRandomNumberInRange')
             .mockImplementation(() => 800);
 
         const constantsMock = jest

@@ -1,5 +1,5 @@
 import { networks } from '@trezor/utxo-lib';
-import { getRandomNumberInRange } from '@trezor/utils';
+import { getWeakRandomNumberInRange } from '@trezor/utils';
 
 import { transactionSigning } from '../../src/client/round/transactionSigning';
 import { createServer } from '../mocks/server';
@@ -529,7 +529,7 @@ describe('transactionSigning signature delay', () => {
         );
 
         // signature is sent in range 17-67 sec. (resolve time is less than 50 sec TX_SIGNING_DELAY)
-        expect(getRandomNumberInRange).toHaveBeenLastCalledWith(17000, 67000);
+        expect(getWeakRandomNumberInRange).toHaveBeenLastCalledWith(17000, 67000);
         expect(response.isSignedSuccessfully()).toBe(true);
     });
 
@@ -558,7 +558,7 @@ describe('transactionSigning signature delay', () => {
         );
 
         // signature is sent in range 0-46.21 sec. (resolve time is greater than 50 sec of TX_SIGNING_DELAY)
-        expect(getRandomNumberInRange).toHaveBeenLastCalledWith(0, 46210);
+        expect(getWeakRandomNumberInRange).toHaveBeenLastCalledWith(0, 46210);
         expect(response.isSignedSuccessfully()).toBe(true);
     });
 
@@ -588,7 +588,7 @@ describe('transactionSigning signature delay', () => {
         );
 
         // signature is sent in default range 0-1 sec.
-        expect(getRandomNumberInRange).toHaveBeenLastCalledWith(0, 1000);
+        expect(getWeakRandomNumberInRange).toHaveBeenLastCalledWith(0, 1000);
         expect(response.isSignedSuccessfully()).toBe(true);
     });
 });
@@ -1,4 +1,4 @@
-import { getRandomNumberInRange } from '@trezor/utils';
+import { getWeakRandomNumberInRange } from '@trezor/utils';
 
 import {
     getCommitmentData,
@@ -150,38 +150,38 @@ describe('roundUtils', () => {
 
         // default (no min, no max) range 0-10 sec.
         resultInRange(scheduleDelay(60000), 0, 10000);
-        expect(getRandomNumberInRange).toHaveBeenLastCalledWith(0, 10000);
+        expect(getWeakRandomNumberInRange).toHaveBeenLastCalledWith(0, 10000);
 
         // range 3-10sec.
         resultInRange(scheduleDelay(20000, 3000), 3000, 10000);
-        expect(getRandomNumberInRange).toHaveBeenLastCalledWith(3000, 10000);
+        expect(getWeakRandomNumberInRange).toHaveBeenLastCalledWith(3000, 10000);
 
         // deadlineOffset < 0, range 0-1 sec.
         resultInRange(scheduleDelay(1000, 3000), 0, 1000);
-        expect(getRandomNumberInRange).toHaveBeenLastCalledWith(0, 1000);
+        expect(getWeakRandomNumberInRange).toHaveBeenLastCalledWith(0, 1000);
 
         // deadline < min, range 9-10 sec.
         resultInRange(scheduleDelay(60000, 61000), 9000, 10000);
-        expect(getRandomNumberInRange).toHaveBeenLastCalledWith(9000, 10000);
+        expect(getWeakRandomNumberInRange).toHaveBeenLastCalledWith(9000, 10000);
 
         // deadline < min && deadline < max, range 49-50 sec.
         resultInRange(scheduleDelay(60000, 61000, 62000), 49000, 50000);
-        expect(getRandomNumberInRange).toHaveBeenLastCalledWith(49000, 50000);
+        expect(getWeakRandomNumberInRange).toHaveBeenLastCalledWith(49000, 50000);
 
         // deadline > min && deadline < max, range 3-20 sec.
         resultInRange(scheduleDelay(30000, 3000, 50000), 3000, 20000);
-        expect(getRandomNumberInRange).toHaveBeenLastCalledWith(3000, 20000);
+        expect(getWeakRandomNumberInRange).toHaveBeenLastCalledWith(3000, 20000);
 
         // min < 0 && deadline < max && deadlineOffset > 0, range 0-2.5 sec.
         resultInRange(scheduleDelay(12500, -3000, 50000), 0, 2500);
-        expect(getRandomNumberInRange).toHaveBeenLastCalledWith(0, 2500);
+        expect(getWeakRandomNumberInRange).toHaveBeenLastCalledWith(0, 2500);
 
         // min < 0 && max < 0 && deadlineOffset > 0, range 0-1 sec.
         resultInRange(scheduleDelay(12500, -10000, -5000), 0, 1000);
-        expect(getRandomNumberInRange).toHaveBeenLastCalledWith(0, 1000);
+        expect(getWeakRandomNumberInRange).toHaveBeenLastCalledWith(0, 1000);
 
         // min < 0 && max < 0 && deadlineOffset < 0, range 0-1 sec.
         resultInRange(scheduleDelay(7500, -10000, -5000), 0, 1000);
-        expect(getRandomNumberInRange).toHaveBeenLastCalledWith(0, 1000);
+        expect(getWeakRandomNumberInRange).toHaveBeenLastCalledWith(0, 1000);
     });
 });
@@ -25,6 +25,7 @@
         "@trezor/device-utils": "workspace:*",
         "@trezor/transport": "workspace:*",
         "@trezor/urls": "workspace:*",
+        "crypto-browserify": "^3.12.0",
         "eth-phishing-detect": "^1.2.0",
         "react-dom": "18.2.0"
     },

@@ -69,6 +69,11 @@ const config: webpack.Configuration = {
         extensions: ['.ts', '.tsx', '.js', '.jsx'],
         modules: ['node_modules'],
         mainFields: ['browser', 'module', 'main'],
+        fallback: {
+            // Polyfills crypto API for Node.js libraries in the browser. 'crypto' does not run without 'stream'
+            crypto: require.resolve('crypto-browserify'),
+            stream: require.resolve('stream-browserify'),
+        },
     },
     plugins: [
         new DefinePlugin({

@@ -45,7 +45,8 @@
     "dependencies": {
         "@trezor/connect": "workspace:*",
         "@trezor/connect-common": "workspace:*",
-        "@trezor/utils": "workspace:*"
+        "@trezor/utils": "workspace:*",
+        "crypto-browserify": "^3.12.0"
     },
     "devDependencies": {
         "@babel/preset-typescript": "^7.24.7",

@@ -24,6 +24,13 @@ const dev = {
         libraryTarget: 'umd',
         libraryExport: 'default',
     },
+    resolve: {
+        fallback: {
+            // Polyfills crypto API for NodeJS libraries in the browser. 'crypto' does not run without 'stream'
+            crypto: require.resolve('crypto-browserify'),
+            stream: require.resolve('stream-browserify'),
+        },
+    },
     plugins: [
         // connect-web dev needs to be served from https
         // to allow injection in 3rd party builds using trezor-connect-src param

@@ -49,6 +49,10 @@ const config: webpack.Configuration = {
         mainFields: ['browser', 'module', 'main'],
         extensions: ['.ts', '.js'],
         fallback: {
+            // Polyfills crypto API for Node.js libraries in the browser. 'crypto' does not run without 'stream'
+            crypto: require.resolve('crypto-browserify'),
+            stream: require.resolve('stream-browserify'),
+
             fs: false, // ignore "fs" import in markdown-it-imsize
             path: false, // ignore "path" import in markdown-it-imsize
         },

@@ -42,6 +42,7 @@
         "@trezor/connect-common": "workspace:*",
         "@trezor/connect-web": "workspace:*",
         "@trezor/utils": "workspace:*",
+        "crypto-browserify": "^3.12.0",
         "events": "^3.3.0"
     },
     "devDependencies": {

@@ -38,6 +38,11 @@ const config: webpack.Configuration = {
         modules: ['node_modules'],
         mainFields: ['browser', 'module', 'main'],
         extensions: ['.ts', '.js'],
+        fallback: {
+            // Polyfills crypto API for Node.js libraries in the browser. 'crypto' does not run without 'stream'
+            crypto: require.resolve('crypto-browserify'),
+            stream: require.resolve('stream-browserify'),
+        },
     },
     performance: {
         hints: false,

@@ -44,7 +44,7 @@ const config: webpack.Configuration = {
             src: path.resolve(__dirname, '../../suite/src/'),
         },
         fallback: {
-            // Polyfills crypto API for NodeJS libraries in the browser. 'crypto' does not run without 'stream'
+            // Polyfills crypto API for Node.js libraries in the browser. 'crypto' does not run without 'stream'
             crypto: require.resolve('crypto-browserify'),
             stream: require.resolve('stream-browserify'),
             // Not required

diff --git a/packages/suite/src/views/wallet/transactions/TransactionList/NoSearchResults.tsx b/packages/suite/src/views/wallet/transactions/TransactionList/NoSearchResults.tsx
@@ -2,7 +2,7 @@ import { useState } from 'react';
 import styled from 'styled-components';
 import { Card, Column, variables } from '@trezor/components';
 import { Translation } from 'src/components/suite';
-import { getRandomNumberInRange } from '@trezor/utils';
+import { getWeakRandomNumberInRange } from '@trezor/utils';
 import { typography } from '@trezor/theme';
 
 const NoResults = styled.div`
@@ -46,7 +46,7 @@ const getTip = (num: number) => {
 };
 
 export const NoSearchResults = () => {
-    const [tip] = useState(getRandomNumberInRange(1, 10));
+    const [tip] = useState(getWeakRandomNumberInRange(1, 10));
 
     return (
         <Card>

@@ -33,6 +33,7 @@
         "@trezor/theme": "workspace:*",
         "@trezor/transport": "workspace:*",
         "@trezor/utils": "workspace:*",
+        "crypto-browserify": "^3.12.0",
         "json-stable-stringify": "^1.1.1",
         "react": "18.2.0",
         "react-dom": "18.2.0",

@@ -58,6 +58,11 @@ const config: webpack.Configuration = {
         extensions: ['.ts', '.tsx', '.js', '.jsx'],
         modules: ['node_modules'],
         mainFields: ['browser', 'module', 'main'],
+        fallback: {
+            // Polyfills crypto API for Node.js libraries in the browser. 'crypto' does not run without 'stream'
+            crypto: require.resolve('crypto-browserify'),
+            stream: require.resolve('stream-browserify'),
+        },
     },
     plugins: [
         new HtmlWebpackPlugin({

@@ -14,7 +14,7 @@
         "test:e2e:new-bridge:hw": "USE_HW=true USE_NODE_BRIDGE=true yarn test:e2e:bridge",
         "test:e2e:new-bridge:emu": "USE_HW=false USE_NODE_BRIDGE=true yarn test:e2e:bridge",
         "build:e2e:api:node": "yarn esbuild ./e2e/api/api.test.ts --bundle --outfile=./e2e/dist/api.test.node.js --platform=node --target=node18 --external:usb",
-        "build:e2e:api:browser": "yarn esbuild ./e2e/api/api.test.ts --bundle --outfile=./e2e/dist/api.test.browser.js --platform=browser --external:usb  && cp e2e/ui/api.test.html e2e/dist/index.html",
+        "build:e2e:api:browser": "yarn esbuild ./e2e/api/api.test.ts --bundle --alias:crypto=crypto-browserify --alias:stream=stream-browserify --outfile=./e2e/dist/api.test.browser.js --platform=browser --external:usb  && cp e2e/ui/api.test.html e2e/dist/index.html",
         "test:e2e:api:node:hw": "yarn build:e2e:api:node && node ./e2e/dist/api.test.node.js",
         "test:e2e:api:browser:hw": "yarn build:e2e:api:browser && npx http-serve ./e2e/dist"
     },
@@ -25,6 +25,7 @@
         "@trezor/trezor-user-env-link": "workspace:^",
         "@trezor/utils": "workspace:*",
         "buffer": "^6.0.3",
+        "crypto-browserify": "^3.12.0",
         "esbuild": "^0.23.1",
         "jest": "^29.7.0",
         "jest-extended": "^4.0.2",

@@ -1,11 +1,16 @@
+import { getRandomInt } from './getRandomInt';
+
 /**
- * Randomly shuffles the elements in an array. This method
- * does not mutate the original array.
+ * Implementation of the Fisher-Yates shuffle algorithm.
+ * The algorithm produces an unbiased permutation: every permutation is equally likely.
+ * @link https://en.wikipedia.org/wiki/Fisher%E2%80%93Yates_shuffle
+ *
+ * This method does not mutate the original array.
  */
-export const arrayShuffle = <T>(array: readonly T[]) => {
+export const arrayShuffle = <T>(array: readonly T[]): T[] => {
     const shuffled = array.slice();
     for (let i = shuffled.length - 1; i > 0; i--) {
-        const j = Math.floor(Math.random() * (i + 1));
+        const j = getRandomInt(0, i);
         [shuffled[i], shuffled[j]] = [shuffled[j], shuffled[i]];
     }
 

@@ -0,0 +1,17 @@
+import { randomBytes } from 'crypto';
+
+/**
+ * Crypto.randomInt() function is not implemented by polyfill 'crypto-browserify'
+ * @see https://github.com/browserify/crypto-browserify/issues/224
+ */
+export const getRandomInt = (min: number, max: number) => {
+    if (min >= max) {
+        throw new RangeError(
+            `The value of "max" is out of range. It must be greater than the value of "min" (${min}). Received ${max}`,
+        );
+    }
+
+    const randomValue = parseInt(randomBytes(4).toString('hex'), 16);
+
+    return min + (randomValue % (max - min));
+};
@@ -0,0 +1,5 @@
+/**
+ * @deprecated Consider using `getRandomInt` which is cryptographically secure.
+ */
+export const getWeakRandomNumberInRange = (min: number, max: number) =>
+    Math.floor(Math.random() * (max - min + 1)) + min;
@@ -19,7 +19,7 @@ export * from './createTimeoutPromise';
 export * from './getLocaleSeparators';
 export * from './getMutex';
 export * from './getNumberFromPixelString';
-export * from './getRandomNumberInRange';
+export * from './getWeakRandomNumberInRange';
 export * from './getSynchronize';
 export * from './getWeakRandomId';
 export * from './hasUppercaseLetter';
@@ -40,6 +40,7 @@ export * from './topologicalSort';
 export * from './truncateMiddle';
 export * from './typedEventEmitter';
 export * from './urlToOnion';
+export * from './getRandomInt';
 export * from './logs';
 export * from './logsManager';
 export * from './bigNumber';

@@ -5,19 +5,24 @@ const SAMPLES = 10000;
 const TOLERANCE = 0.1;
 const EXPECTED = SAMPLES / KEYS.length;
 
-describe('arrayShuffle', () => {
+const LOWER_BOUND = (1 - TOLERANCE) * EXPECTED;
+const UPPER_BOUND = (1 + TOLERANCE) * EXPECTED;
+
+describe(arrayShuffle.name, () => {
     it('shuffles randomly', () => {
         const samples = Object.fromEntries(KEYS.map(key => [key, new Array(KEYS.length).fill(0)]));
+
         for (let sample = 0; sample < SAMPLES; ++sample) {
             const shuffled = arrayShuffle(KEYS);
             for (let i = 0; i < shuffled.length; ++i) {
                 samples[shuffled[i]][i]++;
             }
         }
+
         KEYS.forEach(key =>
             samples[key].forEach(count => {
-                expect(count).toBeGreaterThanOrEqual((1 - TOLERANCE) * EXPECTED);
-                expect(count).toBeLessThanOrEqual((1 + TOLERANCE) * EXPECTED);
+                expect(count).toBeGreaterThanOrEqual(LOWER_BOUND);
+                expect(count).toBeLessThanOrEqual(UPPER_BOUND);
             }),
         );
     });