summaryrefslogtreecommitdiff
path: root/lib/VNDB/Util/Auth.pm
diff options
context:
space:
mode:
authorYorhel <git@yorhel.nl>2014-10-15 12:57:53 +0200
committerYorhel <git@yorhel.nl>2014-10-15 12:57:53 +0200
commit13e967810a8b336164d22167bb047ad1dbb5a836 (patch)
tree2fd4d1ccacc0fb5fff24f0cb17ff8d262cc371a8 /lib/VNDB/Util/Auth.pm
parent2640d51d745bdbd85bf52f92aa4ed46253ccf99d (diff)
Auth: Use a proper CSPRNG for generating salt and tokens
Diffstat (limited to 'lib/VNDB/Util/Auth.pm')
-rw-r--r--lib/VNDB/Util/Auth.pm16
1 files changed, 10 insertions, 6 deletions
diff --git a/lib/VNDB/Util/Auth.pm b/lib/VNDB/Util/Auth.pm
index 63812d36..2fd06828 100644
--- a/lib/VNDB/Util/Auth.pm
+++ b/lib/VNDB/Util/Auth.pm
@@ -6,9 +6,8 @@ use strict;
use warnings;
use Exporter 'import';
use Digest::SHA qw|sha1 sha1_hex sha256|;
-use Time::HiRes;
+use Crypt::URandom 'urandom';
use Encode 'encode_utf8';
-use POSIX 'strftime';
use TUWF ':html';
use VNDB::Func;
@@ -19,6 +18,11 @@ our @EXPORT = qw|
|;
+sub randomascii {
+ return join '', map chr($_%92+33), unpack 'C*', urandom shift;
+}
+
+
# initializes authentication information and checks the vndb_auth cookie
sub authInit {
my $self = shift;
@@ -45,7 +49,7 @@ sub authLogin {
my $to = shift;
if(_authCheck($self, $user, $pass)) {
- my $token = sha1_hex(join('', Time::HiRes::gettimeofday()) . join('', map chr(rand(93)+33), 1..9));
+ my $token = unpack 'H*', urandom(20);
my $cookie = $token . $self->{_auth}{id};
$self->dbSessionAdd($self->{_auth}{id}, $token);
@@ -119,7 +123,7 @@ sub _authCheck {
# Returns: encrypted password (as a binary string)
sub authPreparePass {
my($self, $pass, $salt) = @_;
- $salt ||= encode_utf8(join '', map chr(rand(93)+33), 1..9);
+ $salt ||= encode_utf8(randomascii(9));
return $salt.sha256($self->{global_salt} . encode_utf8($pass) . $salt);
}
@@ -128,8 +132,8 @@ sub authPreparePass {
# Returns: token (hex string), token-encrypted (binary string)
sub authPrepareReset {
my $self = shift;
- my $token = sha1_hex(join('', Time::HiRes::gettimeofday()) . join('', map chr(rand(93)+33), 1..9));
- my $salt = join '', map chr(rand(93)+33), 1..9;
+ my $token = unpack 'H*', urandom(20);
+ my $salt = randomascii(9);
my $token_e = encode_utf8($salt) . sha1(lc($token).$salt);
return ($token, $token_e);
}