Skip to content

Commit

Permalink
Improve randomness of password salts and random hashes (#5266)
Browse files Browse the repository at this point in the history
  • Loading branch information
alecpl committed Oct 1, 2016
1 parent ea8c7ef commit 9e12938
Show file tree
Hide file tree
Showing 3 changed files with 10 additions and 27 deletions.
1 change: 1 addition & 0 deletions CHANGELOG
Original file line number Diff line number Diff line change
@@ -1,6 +1,7 @@
CHANGELOG Roundcube Webmail
===========================

- Improve randomness of password salts and random hashes (#5266)
- Password/cPanel: Add support for hash authentication and reseller accounts (#5252)
- Support host-specific imap_conn_options/smtp_conn_options/managesieve_conn_options (#5136)
- Center and scale images in attachment preview frame (#5421)
Expand Down
34 changes: 8 additions & 26 deletions plugins/password/password.php
Original file line number Diff line number Diff line change
Expand Up @@ -427,19 +427,19 @@ static function hash_password($password, $method = '', $prefixed = true)
switch ($method) {
case 'des':
case 'des-crypt':
$crypted = crypt($password, self::random_salt(2));
$crypted = crypt($password, rcube_utils::random_bytes(2));
$prefix = '{CRYPT}';
break;

case 'ext_des': // for BC
case 'ext-des-crypt':
$crypted = crypt($password, '_' . self::random_salt(8));
$crypted = crypt($password, '_' . rcube_utils::random_bytes(8));
$prefix = '{CRYPT}';
break;

case 'md5crypt': // for BC
case 'md5-crypt':
$crypted = crypt($password, '$1$' . self::random_salt(9));
$crypted = crypt($password, '$1$' . rcube_utils::random_bytes(9));
$prefix = '{CRYPT}';
break;

Expand All @@ -451,7 +451,7 @@ static function hash_password($password, $method = '', $prefixed = true)
$prefix .= 'rounds=' . $rounds . '$';
}

$crypted = crypt($password, $prefix . self::random_salt(16));
$crypted = crypt($password, $prefix . rcube_utils::random_bytes(16));
$prefix = '{CRYPT}';
break;

Expand All @@ -463,7 +463,7 @@ static function hash_password($password, $method = '', $prefixed = true)
$prefix .= 'rounds=' . $rounds . '$';
}

$crypted = crypt($password, $prefix . self::random_salt(16));
$crypted = crypt($password, $prefix . rcube_utils::random_bytes(16));
$prefix = '{CRYPT}';
break;

Expand All @@ -473,7 +473,7 @@ static function hash_password($password, $method = '', $prefixed = true)
$cost = $cost < 4 || $cost > 31 ? 12 : $cost;
$prefix = sprintf('$2a$%02d$', $cost);

$crypted = crypt($password, $prefix . self::random_salt(22));
$crypted = crypt($password, $prefix . rcube_utils::random_bytes(22));
$prefix = '{CRYPT}';
break;

Expand Down Expand Up @@ -504,7 +504,7 @@ static function hash_password($password, $method = '', $prefixed = true)
break;

case 'ssha':
$salt = substr(pack('h*', md5(mt_rand())), 0, 8);
$salt = rcube_utils::random_bytes(8);

if (function_exists('mhash') && function_exists('mhash_keygen_s2k')) {
$salt = mhash_keygen_s2k(MHASH_SHA1, $password, $salt, 4);
Expand All @@ -530,7 +530,7 @@ static function hash_password($password, $method = '', $prefixed = true)
break;

case 'smd5':
$salt = substr(pack('h*', md5(mt_rand())), 0, 8);
$salt = rcube_utils::random_bytes(8);

if (function_exists('mhash') && function_exists('mhash_keygen_s2k')) {
$salt = mhash_keygen_s2k(MHASH_MD5, $password, $salt, 4);
Expand Down Expand Up @@ -653,22 +653,4 @@ static function hash_password($password, $method = '', $prefixed = true)

return $crypted;
}

/**
* Used to generate a random salt for crypt-style passwords
*
* Code originaly from the phpLDAPadmin development team
* http://phpldapadmin.sourceforge.net/
*/
static function random_salt($length)
{
$possible = '0123456789abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ./';
$str = '';

while (strlen($str) < $length) {
$str .= substr($possible, (rand() % strlen($possible)), 1);
}

return $str;
}
}
2 changes: 1 addition & 1 deletion program/lib/Roundcube/rcube_user.php
Original file line number Diff line number Diff line change
Expand Up @@ -252,7 +252,7 @@ function get_hash()

// generate a random hash and store it in user prefs
if (empty($prefs['client_hash'])) {
$prefs['client_hash'] = md5($this->data['username'] . mt_rand() . $this->data['mail_host']);
$prefs['client_hash'] = rcube_utils::random_bytes(16);
$this->save_prefs(array('client_hash' => $prefs['client_hash']));
}

Expand Down

0 comments on commit 9e12938

Please sign in to comment.