1 |
Hi, |
2 |
|
3 |
After reading and trying to work around the #88831 bug |
4 |
(http://bugs.gentoo.org/show_bug.cgi?id=88831), I realized that the |
5 |
automatic generation of passwords and alike is done by using just the |
6 |
$RANDOM bash function, which is pretty weak (among that, wrongly used, |
7 |
can cause some overhead). |
8 |
|
9 |
I worked out a simplistic crypto.eclass that implements the following |
10 |
functions: |
11 |
|
12 |
get_random_string_seed5(): |
13 |
Generates a random string (33 bytes) using a simplistic seeding method |
14 |
with 5 salts that uses the $RNGDEVICE (pseudo-)random numbers generator |
15 |
device to gather entropy, and MD5 to calculate pseudo-random sums/hashes |
16 |
to be used for calculating the final MD5 sum/hash, that is, the |
17 |
(pseudo-)random string to be used finally (ie. for generating a random |
18 |
password value to be used in automatically-created configuration or |
19 |
installation files). |
20 |
The seeds (1,2,3,4,5) are, respectively: 1000, 10, 1000, 50 & 1000 bytes |
21 |
long. |
22 |
|
23 |
get_random_string_seed1(): |
24 |
Same as get_random_string_seed5() but using only 1 seed. |
25 |
Good if we want to avoid entropy pool exhausting in certain cases. |
26 |
The only one seed is 1000 bytes long. |
27 |
No parameters |
28 |
|
29 |
get_random_string_int_md5(): |
30 |
Uses the $RANDOM internal Bash function that returns a pseudo-random |
31 |
integer in the range 0 - 32767, used 4 times to get (usually) 19-21 |
32 |
bytes of pseudo random data (ie. 1626436901920922388), then generates a |
33 |
MD5 sum/hash. |
34 |
No parameters |
35 |
|
36 |
get_random_string_int() |
37 |
Same as get_random_string_int_md5() but not generating a MD5 sum/hash |
38 |
of the obtained pseudo-random data. |
39 |
No parameters |
40 |
|
41 |
Also, any crypto-related function should get it inside such eclass |
42 |
instead of placing the same code in every ebuild requiring the same or |
43 |
similar operation, that is, we must reuse code as much as possible, and |
44 |
providing stronger solutions, indeed. |
45 |
|
46 |
The eclass can be found at: |
47 |
http://pearls.tuxedo-es.org/gentoo/crypto.eclass |
48 |
|
49 |
to test it, you can use: |
50 |
http://pearls.tuxedo-es.org/gentoo/test-crypto-eclass.sh |
51 |
|
52 |
Currently, the ebuilds that may benefit of this eclass directly are: |
53 |
|
54 |
dev-db/phpmyadmin |
55 |
net-mail/gnubiff |
56 |
sys-libs/nss-mysql |
57 |
mail-filter/dspam |
58 |
|
59 |
There's currently a possible problem regarding collisions in the |
60 |
ebuild(s): |
61 |
|
62 |
net-irc/irc-server |
63 |
|
64 |
at: |
65 |
IRCUID=$RANDOM |
66 |
|
67 |
$RANDOM can't assure that the returned integer doesn't represent an |
68 |
existing uid, thus, a new function might be good to handle these cases, |
69 |
that checks for existing uid before setting the value of the randomly |
70 |
generated integer. |
71 |
|
72 |
The list was provided by Elfyn (thanks!): |
73 |
http://dev.gentoo.org/~beu/bash-RANDOM-utilising-ebuild.txt |
74 |
|
75 |
Thanks in advance, |
76 |
Cheers. |
77 |
-- |
78 |
Lorenzo Hernández García-Hierro <lorenzo@×××.org> |
79 |
|
80 |
-- |
81 |
gentoo-dev@g.o mailing list |