From ea591e01cb1ede68de7a28ae2c913ef0a40f9dbe Mon Sep 17 00:00:00 2001 From: Robert Rothenberg Date: Tue, 17 Dec 2024 18:04:48 +0000 Subject: [PATCH] Use Crypt::URandom to get the random seed This is a platform-independent method for querying /dev/urandom or equivalents. It also uses the Win32::API on Windows, and it should work on Perl v5.6. --- Makefile.PL | 11 +++++------ lib/Session/Token.pm | 38 +++----------------------------------- 2 files changed, 8 insertions(+), 41 deletions(-) diff --git a/Makefile.PL b/Makefile.PL index 580ee9e..cdc6c00 100644 --- a/Makefile.PL +++ b/Makefile.PL @@ -3,15 +3,14 @@ use strict; use ExtUtils::MakeMaker; -my $deps = {}; - -$deps->{'Crypt::Random::Source::Strong::Win32'} = 0 - if $^O =~ /mswin/i; +my %deps = ( + 'Crypt::URandom' => '0.37', +); my %args = ( NAME => 'Session::Token', VERSION_FROM => 'lib/Session/Token.pm', - PREREQ_PM => $deps, + PREREQ_PM => \%deps, LIBS => [''], DEFINE => '', INC => '-I.', @@ -20,7 +19,7 @@ my %args = ( dist => { PREOP => 'pod2text $(VERSION_FROM) > $(DISTVNAME)/README', }, - MIN_PERL_VERSION => '5.8.0', + MIN_PERL_VERSION => '5.6.0', ); diff --git a/lib/Session/Token.pm b/lib/Session/Token.pm index c453fd2..2a961dd 100644 --- a/lib/Session/Token.pm +++ b/lib/Session/Token.pm @@ -3,9 +3,9 @@ package Session::Token; use strict; use Carp qw/croak/; +use Crypt::URandom qw/urandom_ub/; use POSIX qw/ceil/; - our $VERSION = '1.503'; require XSLoader; @@ -15,14 +15,6 @@ XSLoader::load('Session::Token', $VERSION); my $default_alphabet = join('', ('0'..'9', 'a'..'z', 'A'..'Z',)); my $default_entropy = 128; -my $is_windows; - -if ($^O =~ /mswin/i) { - require Crypt::Random::Source::Strong::Win32; - $is_windows = 1; -} - - sub new { my ($class, @args) = @_; @@ -43,26 +35,9 @@ sub new { } if (!defined $seed) { - if ($is_windows) { - my $windows_rng_source = Crypt::Random::Source::Strong::Win32->new; - $seed = $windows_rng_source->get(1024); - die "Win32 RNG source didn't provide 1024 bytes" unless length($seed) == 1024; - } else { - my ($fh, $err1, $err2); - - open($fh, '<:raw', '/dev/urandom') || ($err1 = $!); - open($fh, '<:raw', '/dev/arandom') || ($err2 = $!) - unless defined $fh; - - if (!defined $fh) { - croak "unable to open /dev/urandom ($err1) or /dev/arandom ($err2)"; - } - - sysread($fh, $seed, 1024) == 1024 || croak "unable to read from random device: $!"; - } + $seed = urandom_ub(1024); } - ## Init alphabet my $alphabet = defined $args{alphabet} ? $args{alphabet} : $default_alphabet; @@ -140,7 +115,7 @@ Session::Token - Secure, efficient, simple random session token generation This module provides a secure, efficient, and simple interface for creating session tokens, password reset codes, temporary passwords, random identifiers, and anything else you can think of. -When a Session::Token object is created, 1024 bytes are read from C (Linux, Solaris, most BSDs), C (some older BSDs), or L (Windows). These bytes are used to seed the L pseudo random number generator. +When a Session::Token object is created, 1024 bytes are read from L. These bytes are used to seed the L pseudo random number generator. Once a generator is created, you can repeatedly call the C method on the generator object and it will return a new token each time. @@ -420,13 +395,6 @@ Would be cool if it could detect forks and warn or re-seed in the child process There is currently no way to extract the seed from a Session::Token object. Note when implementing this: The saved seed must either store the current state of the ISAAC round as well as the 1024 byte C array or else do some kind of minimum fast forwarding in order to protect against a partially duplicated output-stream bug. -Doesn't work on perl 5.6 and below due to the use of C<:raw> (thanks CPAN testers). It could probably use C instead, but meh. - -On windows we use L which has a big dependency tree. We should instead use a slimmer module like L. - - - - =head1 SEE ALSO L