Skip Menu |

This queue is for tickets about the Crypt-DSA CPAN distribution.

Report information
The Basics
Id: 21968
Status: open
Priority: 0/
Queue: Crypt-DSA
People
Owner: cpan [...] stupidfool.org
Requestors: SAMV [...] cpan.org
Cc:
AdminCc:
Bug Information
Severity: Important
Broken in:
  • 0.13
  • 0.14
Fixed in: (no value)

History Show all quoted text
  Mon Oct 09 00:27:47 2006 SAMV [...] cpan.org - Ticket created
  Mon Oct 09 00:41:34 2006 SAMV [...] cpan.org - Correspondence added
RT-Send-CC: emmanuel.rodriguez-santiago [...] hp.com, BRICAS [...] cpan.org
I'm not entirely sure why you think the salt required by the signing process is sufficiently sensitive to PRNG attacks that it requires reading of /dev/random - this depletes the system of available entropy fast. On systems that do a lot of signing, and do not have hardware random number generators, this can be a drag. Using Crypt::Random::makerandom (as recommended in #14281) with Strength => 0 is probably the right thing to do. I wouldn't use Data::Random, its implementation is shocking.
  Mon Oct 09 00:41:37 2006 SAMV [...] cpan.org - Status changed from 'new' to 'open'
  Mon Oct 09 00:44:50 2006 SAMV [...] cpan.org - Severity Important added
  Mon Oct 09 00:44:51 2006 SAMV [...] cpan.org - Broken in 0.13 added
  Mon Oct 09 00:44:51 2006 SAMV [...] cpan.org - Broken in 0.14 added
  Mon Oct 09 00:45:24 2006 SAMV [...] cpan.org - Given to BTROTT
  Sun Dec 05 19:24:25 2010 mutant.nz [...] gmail.com - Correspondence added
From: mutant.nz [...] gmail.com
Would it be possible to simply change the code to read /dev/urandom instead of /dev/random ? This should solve the problem for a lot of users, without introducing the dreaded Math::Pari that Crypt::Random depends on.
  Thu Jun 16 04:56:20 2011 JFITZ [...] cpan.org - Correspondence added
In the hopes of just using the non-blocking random source (rather than the more elegant Crypt::Random solution also proposed) I offer a quick patch that changes the source from /dev/random to /dev/urandom. If the author doesn't pick this up, I can request to take over the module for that purpose, though I have no vested interest in maintaining or enhancing it beyond this change. Cheers
Subject: Crypt-DSA-1.16.urandom.patch
--- Crypt-DSA-1.16/lib/Crypt/DSA/Util.pm.orig 2011-06-16 09:53:46.000000000 +0100 +++ Crypt-DSA-1.16/lib/Crypt/DSA/Util.pm 2011-06-16 09:56:32.000000000 +0100 @@ -53,7 +53,7 @@ my $size = $param{Size}; my $bytes = int($size / 8) + 1; my $r = ''; - if ( sysopen my $fh, '/dev/random', O_RDONLY ) { + if ( sysopen my $fh, '/dev/urandom', O_RDONLY ) { my $read = 0; while ($read < $bytes) { my $got = sysread $fh, my($chunk), $bytes - $read;