get_random_bytes gives taint errors

[gerv]

See https://bugzilla.mozilla.org/show_bug.cgi?id=1187897 . The errors are:

Insecure dependency in eval while running with -T switch at /usr/local/share/perl5/Crypt/OpenPGP/Util.pm line 107.
at /usr/local/share/perl5/Crypt/OpenPGP/Util.pm line 104.
Crypt::OpenPGP::Util::get_random_bytes(490) called at /usr/local/share/perl5/Crypt/OpenPGP/SessionKey.pm line 96

It is suggested that this code may be responsible, from Util.pm:

sub get_random_bytes {
my $length = shift;
if (eval 'require Crypt::Random; 1;') {
return Crypt::Random::makerandom_octet( Length => $length);
}
elsif (eval 'require Bytes::Random::Secure; 1;') {
return Bytes::Random::Secure::random_bytes($length);
}
else {
die "No random source available!";
}
}

Gerv

[floatingatoll]

Module::Load::Conditional has been around a few years, has no C/XS dependencies, and was integrated into core around 5.22 (I believe?). It would help remove the above evals.

[dylanwh]

the above evals are not needed at all. Just use an eval { } block. "require" is not compile time.
if (eval { require Bytes::Random::Secure; 1 }) {...}