| 1 |
Hi, |
| 2 |
|
| 3 |
After reading and trying to work around the #88831 bug |
| 4 |
(http://bugs.gentoo.org/show_bug.cgi?id=88831), I realized that the |
| 5 |
automatic generation of passwords and alike is done by using just the |
| 6 |
$RANDOM bash function, which is pretty weak (among that, wrongly used, |
| 7 |
can cause some overhead). |
| 8 |
|
| 9 |
I worked out a simplistic crypto.eclass that implements the following |
| 10 |
functions: |
| 11 |
|
| 12 |
get_random_string_seed5(): |
| 13 |
Generates a random string (33 bytes) using a simplistic seeding method |
| 14 |
with 5 salts that uses the $RNGDEVICE (pseudo-)random numbers generator |
| 15 |
device to gather entropy, and MD5 to calculate pseudo-random sums/hashes |
| 16 |
to be used for calculating the final MD5 sum/hash, that is, the |
| 17 |
(pseudo-)random string to be used finally (ie. for generating a random |
| 18 |
password value to be used in automatically-created configuration or |
| 19 |
installation files). |
| 20 |
The seeds (1,2,3,4,5) are, respectively: 1000, 10, 1000, 50 & 1000 bytes |
| 21 |
long. |
| 22 |
|
| 23 |
get_random_string_seed1(): |
| 24 |
Same as get_random_string_seed5() but using only 1 seed. |
| 25 |
Good if we want to avoid entropy pool exhausting in certain cases. |
| 26 |
The only one seed is 1000 bytes long. |
| 27 |
No parameters |
| 28 |
|
| 29 |
get_random_string_int_md5(): |
| 30 |
Uses the $RANDOM internal Bash function that returns a pseudo-random |
| 31 |
integer in the range 0 - 32767, used 4 times to get (usually) 19-21 |
| 32 |
bytes of pseudo random data (ie. 1626436901920922388), then generates a |
| 33 |
MD5 sum/hash. |
| 34 |
No parameters |
| 35 |
|
| 36 |
get_random_string_int() |
| 37 |
Same as get_random_string_int_md5() but not generating a MD5 sum/hash |
| 38 |
of the obtained pseudo-random data. |
| 39 |
No parameters |
| 40 |
|
| 41 |
Also, any crypto-related function should get it inside such eclass |
| 42 |
instead of placing the same code in every ebuild requiring the same or |
| 43 |
similar operation, that is, we must reuse code as much as possible, and |
| 44 |
providing stronger solutions, indeed. |
| 45 |
|
| 46 |
The eclass can be found at: |
| 47 |
http://pearls.tuxedo-es.org/gentoo/crypto.eclass |
| 48 |
|
| 49 |
to test it, you can use: |
| 50 |
http://pearls.tuxedo-es.org/gentoo/test-crypto-eclass.sh |
| 51 |
|
| 52 |
Currently, the ebuilds that may benefit of this eclass directly are: |
| 53 |
|
| 54 |
dev-db/phpmyadmin |
| 55 |
net-mail/gnubiff |
| 56 |
sys-libs/nss-mysql |
| 57 |
mail-filter/dspam |
| 58 |
|
| 59 |
There's currently a possible problem regarding collisions in the |
| 60 |
ebuild(s): |
| 61 |
|
| 62 |
net-irc/irc-server |
| 63 |
|
| 64 |
at: |
| 65 |
IRCUID=$RANDOM |
| 66 |
|
| 67 |
$RANDOM can't assure that the returned integer doesn't represent an |
| 68 |
existing uid, thus, a new function might be good to handle these cases, |
| 69 |
that checks for existing uid before setting the value of the randomly |
| 70 |
generated integer. |
| 71 |
|
| 72 |
The list was provided by Elfyn (thanks!): |
| 73 |
http://dev.gentoo.org/~beu/bash-RANDOM-utilising-ebuild.txt |
| 74 |
|
| 75 |
Thanks in advance, |
| 76 |
Cheers. |
| 77 |
-- |
| 78 |
Lorenzo Hernández García-Hierro <lorenzo@×××.org> |
| 79 |
|
| 80 |
-- |
| 81 |
gentoo-dev@g.o mailing list |
Archives