From 9e129383a1e060700a1a3a2c8720375873cbf893 Mon Sep 17 00:00:00 2001 From: Aleksander Machniak Date: Sat, 1 Oct 2016 08:23:19 +0200 Subject: [PATCH] Improve randomness of password salts and random hashes (#5266) --- CHANGELOG | 1 + plugins/password/password.php | 34 +++++++--------------------- program/lib/Roundcube/rcube_user.php | 2 +- 3 files changed, 10 insertions(+), 27 deletions(-) diff --git a/CHANGELOG b/CHANGELOG index 2330a83fe5e..eb01fe42631 100644 --- a/CHANGELOG +++ b/CHANGELOG @@ -1,6 +1,7 @@ CHANGELOG Roundcube Webmail =========================== +- Improve randomness of password salts and random hashes (#5266) - Password/cPanel: Add support for hash authentication and reseller accounts (#5252) - Support host-specific imap_conn_options/smtp_conn_options/managesieve_conn_options (#5136) - Center and scale images in attachment preview frame (#5421) diff --git a/plugins/password/password.php b/plugins/password/password.php index 520f2504e0a..7f30b65c31c 100644 --- a/plugins/password/password.php +++ b/plugins/password/password.php @@ -427,19 +427,19 @@ static function hash_password($password, $method = '', $prefixed = true) switch ($method) { case 'des': case 'des-crypt': - $crypted = crypt($password, self::random_salt(2)); + $crypted = crypt($password, rcube_utils::random_bytes(2)); $prefix = '{CRYPT}'; break; case 'ext_des': // for BC case 'ext-des-crypt': - $crypted = crypt($password, '_' . self::random_salt(8)); + $crypted = crypt($password, '_' . rcube_utils::random_bytes(8)); $prefix = '{CRYPT}'; break; case 'md5crypt': // for BC case 'md5-crypt': - $crypted = crypt($password, '$1$' . self::random_salt(9)); + $crypted = crypt($password, '$1$' . rcube_utils::random_bytes(9)); $prefix = '{CRYPT}'; break; @@ -451,7 +451,7 @@ static function hash_password($password, $method = '', $prefixed = true) $prefix .= 'rounds=' . $rounds . '$'; } - $crypted = crypt($password, $prefix . self::random_salt(16)); + $crypted = crypt($password, $prefix . rcube_utils::random_bytes(16)); $prefix = '{CRYPT}'; break; @@ -463,7 +463,7 @@ static function hash_password($password, $method = '', $prefixed = true) $prefix .= 'rounds=' . $rounds . '$'; } - $crypted = crypt($password, $prefix . self::random_salt(16)); + $crypted = crypt($password, $prefix . rcube_utils::random_bytes(16)); $prefix = '{CRYPT}'; break; @@ -473,7 +473,7 @@ static function hash_password($password, $method = '', $prefixed = true) $cost = $cost < 4 || $cost > 31 ? 12 : $cost; $prefix = sprintf('$2a$%02d$', $cost); - $crypted = crypt($password, $prefix . self::random_salt(22)); + $crypted = crypt($password, $prefix . rcube_utils::random_bytes(22)); $prefix = '{CRYPT}'; break; @@ -504,7 +504,7 @@ static function hash_password($password, $method = '', $prefixed = true) break; case 'ssha': - $salt = substr(pack('h*', md5(mt_rand())), 0, 8); + $salt = rcube_utils::random_bytes(8); if (function_exists('mhash') && function_exists('mhash_keygen_s2k')) { $salt = mhash_keygen_s2k(MHASH_SHA1, $password, $salt, 4); @@ -530,7 +530,7 @@ static function hash_password($password, $method = '', $prefixed = true) break; case 'smd5': - $salt = substr(pack('h*', md5(mt_rand())), 0, 8); + $salt = rcube_utils::random_bytes(8); if (function_exists('mhash') && function_exists('mhash_keygen_s2k')) { $salt = mhash_keygen_s2k(MHASH_MD5, $password, $salt, 4); @@ -653,22 +653,4 @@ static function hash_password($password, $method = '', $prefixed = true) return $crypted; } - - /** - * Used to generate a random salt for crypt-style passwords - * - * Code originaly from the phpLDAPadmin development team - * http://phpldapadmin.sourceforge.net/ - */ - static function random_salt($length) - { - $possible = '0123456789abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ./'; - $str = ''; - - while (strlen($str) < $length) { - $str .= substr($possible, (rand() % strlen($possible)), 1); - } - - return $str; - } } diff --git a/program/lib/Roundcube/rcube_user.php b/program/lib/Roundcube/rcube_user.php index bda6e54b686..f0c4e792ae5 100644 --- a/program/lib/Roundcube/rcube_user.php +++ b/program/lib/Roundcube/rcube_user.php @@ -252,7 +252,7 @@ function get_hash() // generate a random hash and store it in user prefs if (empty($prefs['client_hash'])) { - $prefs['client_hash'] = md5($this->data['username'] . mt_rand() . $this->data['mail_host']); + $prefs['client_hash'] = rcube_utils::random_bytes(16); $this->save_prefs(array('client_hash' => $prefs['client_hash'])); }