File Coverage

blib/lib/FAQ/OMatic/Entropy.pm

Criterion	Covered	Total	%
statement	6	18	33.3
branch	0	2	0.0
condition			n/a
subroutine	2	3	66.6
pod	0	1	0.0
total	8	24	33.3

line	stmt	bran	sub	pod	time	code
1						##############################################################################
2						# The Faq-O-Matic is Copyright 1997 by Jon Howell, all rights reserved. #
3						# #
4						# This program is free software; you can redistribute it and/or #
5						# modify it under the terms of the GNU General Public License #
6						# as published by the Free Software Foundation; either version 2 #
7						# of the License, or (at your option) any later version. #
8						# #
9						# This program is distributed in the hope that it will be useful, #
10						# but WITHOUT ANY WARRANTY; without even the implied warranty of #
11						# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the #
12						# GNU General Public License for more details. #
13						# #
14						# You should have received a copy of the GNU General Public License #
15						# along with this program; if not, write to the Free Software #
16						# Foundation, Inc., 59 Temple Place - Suite 330, Boston, MA 02111-1307, USA.#
17						# #
18						# Jon Howell can be contacted at: #
19						# 6211 Sudikoff Lab, Dartmouth College #
20						# Hanover, NH 03755-3510 #
21						# jonh@cs.dartmouth.edu #
22						# #
23						# An electronic copy of the GPL is available at: #
24						# http://www.gnu.org/copyleft/gpl.html #
25						# #
26						##############################################################################
27
28	1		1		6	use strict;
	1				2
	1				56
29
30						###
31						### Entropy looks around for some entropy for better password/nonce
32						### generation. Uses /dev/random if you've got it.
33						###
34
35						package FAQ::OMatic::Entropy;
36
37	1		1		6	use Digest::MD5 qw(md5_hex);
	1				1
	1				193
38
39						# generate a temporary password
40						# THANKS to Matej Vela for pointing out that my crappy
41						# first cut ( crypt(rand(time)) ) was very easily attackable with an offline
42						# attack: so if your fom file becomes world-readable and your config
43						# goes away, an attacker could easily compute the attack offline, then
44						# log in and control the config page: that's a lot of power. He can
45						# specify executables to run there. Yikes!
46						# Just for kicks, a google search for "temporaryCryptedPassword" found
47						# four publically-readable passwords. They weren't vulnerable because the
48						# sites config files are set up correctly ... for now! Scary.
49						#
50						# So, to be a little safer, let's use a less-attackable hash (which will
51						# require admins to install Digest::MD5), and collect entropy wherever
52						# we can find it.
53						# (Perhaps we could fancy-up crypt to give more like 112 bits of hash
54						# quality by tweaking it to essentially do 3DES, but I doubt it, and I
55						# don't want my crypto sloppiness to expose your machine to attack.)
56						#
57						sub gatherRandomString {
58	0		0	0		my $entropy = '';
59	0					$entropy .= $$;
60	0					$entropy .= time();
61						# if you've got real random bits, let's take 128 of them.
62						# Too bad there's not a standard way to fetch real entropy on all platforms
63	0	0				if (-r "/dev/random") {
64	0					my $buf;
65	0					open (RANDFH, "/dev/random");
66	0					sysread(RANDFH, $buf, 16);
67	0					close (RANDFH);
68	0					$entropy .= $buf;
69						}
70						# grab some more sources for those poor slobs who don't have /dev/random
71	0					$entropy .= `uptime`;
72	0					$entropy .= `uname -a`;
73
74						# hash it all up into a secret password
75	0					return md5_hex($entropy);
76						}
77
78						1;