|
|
|
|
| 551 |
return $crypted_password; |
551 |
return $crypted_password; |
| 552 |
} |
552 |
} |
| 553 |
|
553 |
|
|
|
554 |
# If you want to understand the security of strings generated by this |
| 555 |
# function, here's a quick formula that will help you estimate: |
| 556 |
# We pick from 62 characters, which is close to 64, which is 2^6. |
| 557 |
# So 8 characters is (2^6)^8 == 2^48 combinations. Just multiply 6 |
| 558 |
# by the number of characters you generate, and that gets you the equivalent |
| 559 |
# strength of the string in bits. |
| 554 |
sub generate_random_password { |
560 |
sub generate_random_password { |
| 555 |
my $size = shift || 10; # default to 10 chars if nothing specified |
561 |
my $size = shift || 10; # default to 10 chars if nothing specified |
| 556 |
return join("", map{ ('0'..'9','a'..'z','A'..'Z')[rand 62] } (1..$size)); |
562 |
my $rand; |
|
|
563 |
if (Bugzilla->feature('rand_security')) { |
| 564 |
$rand = \&Math::Random::Secure::irand; |
| 565 |
} |
| 566 |
else { |
| 567 |
# For details on why this block works the way it does, see bug 619594. |
| 568 |
# (Note that we don't do this if Math::Random::Secure is installed, |
| 569 |
# because we don't need to.) |
| 570 |
my $counter = 0; |
| 571 |
$rand = sub { |
| 572 |
# If we regenerate the seed every 5 characters, our seed is roughly |
| 573 |
# as strong (in terms of bit size) as our randomly-generated |
| 574 |
# string itself. |
| 575 |
_do_srand() if ($counter % 5) == 0; |
| 576 |
$counter++; |
| 577 |
return int(rand $_[0]); |
| 578 |
}; |
| 579 |
} |
| 580 |
return join("", map{ ('0'..'9','a'..'z','A'..'Z')[$rand->(62)] } |
| 581 |
(1..$size)); |
| 582 |
} |
| 583 |
|
| 584 |
sub _do_srand { |
| 585 |
# On Windows, calling srand over and over in the same process produces |
| 586 |
# very bad results. We need a stronger seed. |
| 587 |
if (ON_WINDOWS) { |
| 588 |
require Win32; |
| 589 |
# GuidGen generates random data via Windows's CryptGenRandom |
| 590 |
# interface, which is documented as being cryptographically secure. |
| 591 |
my $guid = Win32::GuidGen(); |
| 592 |
# GUIDs look like: |
| 593 |
# {09531CF1-D0C7-4860-840C-1C8C8735E2AD} |
| 594 |
$guid =~ s/[-{}]+//g; |
| 595 |
# Get a 32-bit integer using the first eight hex digits. |
| 596 |
my $seed = hex(substr($guid, 0, 8)); |
| 597 |
srand($seed); |
| 598 |
return; |
| 599 |
} |
| 600 |
|
| 601 |
# On *nix-like platforms, this uses /dev/urandom, so the seed changes |
| 602 |
# enough on every invocation. |
| 603 |
srand(); |
| 557 |
} |
604 |
} |
| 558 |
|
605 |
|
| 559 |
sub validate_email_syntax { |
606 |
sub validate_email_syntax { |