Room for improvement in Apache::Session::Generate::SHA256
The Lemonldap::NG::Common::Apache::Session::Generate::SHA256
module could use an update, it:
- imports some methods like sha256 but doesn't use them,
- reads 64 bytes of urandom, but only because that's the length of the output of sha256_hex,
- does a second round of hashing for no documented reason,
- hashes the output of:
time
,{}
, and$$
, but at best they do no harm and at worst they could leak information
Moreover, it doesn't handle the fact that Crypt::URandom
could croak. Not sure if that's handled nicely by other parts of LLNG?