diff options
author | Yorhel <git@yorhel.nl> | 2014-10-15 12:57:53 +0200 |
---|---|---|
committer | Yorhel <git@yorhel.nl> | 2014-10-15 12:57:53 +0200 |
commit | 13e967810a8b336164d22167bb047ad1dbb5a836 (patch) | |
tree | 2fd4d1ccacc0fb5fff24f0cb17ff8d262cc371a8 /lib/VNDB/Util/Auth.pm | |
parent | 2640d51d745bdbd85bf52f92aa4ed46253ccf99d (diff) |
Auth: Use a proper CSPRNG for generating salt and tokens
Diffstat (limited to 'lib/VNDB/Util/Auth.pm')
-rw-r--r-- | lib/VNDB/Util/Auth.pm | 16 |
1 files changed, 10 insertions, 6 deletions
diff --git a/lib/VNDB/Util/Auth.pm b/lib/VNDB/Util/Auth.pm index 63812d36..2fd06828 100644 --- a/lib/VNDB/Util/Auth.pm +++ b/lib/VNDB/Util/Auth.pm @@ -6,9 +6,8 @@ use strict; use warnings; use Exporter 'import'; use Digest::SHA qw|sha1 sha1_hex sha256|; -use Time::HiRes; +use Crypt::URandom 'urandom'; use Encode 'encode_utf8'; -use POSIX 'strftime'; use TUWF ':html'; use VNDB::Func; @@ -19,6 +18,11 @@ our @EXPORT = qw| |; +sub randomascii { + return join '', map chr($_%92+33), unpack 'C*', urandom shift; +} + + # initializes authentication information and checks the vndb_auth cookie sub authInit { my $self = shift; @@ -45,7 +49,7 @@ sub authLogin { my $to = shift; if(_authCheck($self, $user, $pass)) { - my $token = sha1_hex(join('', Time::HiRes::gettimeofday()) . join('', map chr(rand(93)+33), 1..9)); + my $token = unpack 'H*', urandom(20); my $cookie = $token . $self->{_auth}{id}; $self->dbSessionAdd($self->{_auth}{id}, $token); @@ -119,7 +123,7 @@ sub _authCheck { # Returns: encrypted password (as a binary string) sub authPreparePass { my($self, $pass, $salt) = @_; - $salt ||= encode_utf8(join '', map chr(rand(93)+33), 1..9); + $salt ||= encode_utf8(randomascii(9)); return $salt.sha256($self->{global_salt} . encode_utf8($pass) . $salt); } @@ -128,8 +132,8 @@ sub authPreparePass { # Returns: token (hex string), token-encrypted (binary string) sub authPrepareReset { my $self = shift; - my $token = sha1_hex(join('', Time::HiRes::gettimeofday()) . join('', map chr(rand(93)+33), 1..9)); - my $salt = join '', map chr(rand(93)+33), 1..9; + my $token = unpack 'H*', urandom(20); + my $salt = randomascii(9); my $token_e = encode_utf8($salt) . sha1(lc($token).$salt); return ($token, $token_e); } |