banananetwork
/
roundcubemail
1
0
Fork 0
Code Issues Pull Requests Releases Wiki Activity

Improve randomness of password salts and random hashes (#5266)

Browse Source
pull/5193/merge
Aleksander Machniak 8 years ago
parent ea8c7efae8
commit 9e129383a1
3 changed files with 10 additions and 27 deletions
Show Stats Download Patch File Download Diff File

1
CHANGELOG
Unescape Escape View File

@ -1,6 +1,7 @@
CHANGELOG Roundcube Webmail
===========================
- Improve randomness of password salts and random hashes (#5266)
- Password/cPanel: Add support for hash authentication and reseller accounts (#5252)
- Support host-specific imap_conn_options/smtp_conn_options/managesieve_conn_options (#5136)
- Center and scale images in attachment preview frame (#5421)

34
plugins/password/password.php
Unescape Escape View File

@ -427,19 +427,19 @@ class password extends rcube_plugin
switch ($method) {
case 'des':
case 'des-crypt':
$crypted = crypt($password, self::random_salt(2));
$crypted = crypt($password, rcube_utils::random_bytes(2));
$prefix = '{CRYPT}';
break;
case 'ext_des': // for BC
case 'ext-des-crypt':
$crypted = crypt($password, '_' . self::random_salt(8));
$crypted = crypt($password, '_' . rcube_utils::random_bytes(8));
$prefix = '{CRYPT}';
break;
case 'md5crypt': // for BC
case 'md5-crypt':
$crypted = crypt($password, '$1$' . self::random_salt(9));
$crypted = crypt($password, '$1$' . rcube_utils::random_bytes(9));
$prefix = '{CRYPT}';
break;
@ -451,7 +451,7 @@ class password extends rcube_plugin
$prefix .= 'rounds=' . $rounds . '$';
}
$crypted = crypt($password, $prefix . self::random_salt(16));
$crypted = crypt($password, $prefix . rcube_utils::random_bytes(16));
$prefix = '{CRYPT}';
break;
@ -463,7 +463,7 @@ class password extends rcube_plugin
$prefix .= 'rounds=' . $rounds . '$';
}
$crypted = crypt($password, $prefix . self::random_salt(16));
$crypted = crypt($password, $prefix . rcube_utils::random_bytes(16));
$prefix = '{CRYPT}';
break;
@ -473,7 +473,7 @@ class password extends rcube_plugin
$cost = $cost < 4 || $cost > 31 ? 12 : $cost;
$prefix = sprintf('$2a$%02d$', $cost);
$crypted = crypt($password, $prefix . self::random_salt(22));
$crypted = crypt($password, $prefix . rcube_utils::random_bytes(22));
$prefix = '{CRYPT}';
break;
@ -504,7 +504,7 @@ class password extends rcube_plugin
break;
case 'ssha':
$salt = substr(pack('h*', md5(mt_rand())), 0, 8);
$salt = rcube_utils::random_bytes(8);
if (function_exists('mhash') && function_exists('mhash_keygen_s2k')) {
$salt = mhash_keygen_s2k(MHASH_SHA1, $password, $salt, 4);
@ -530,7 +530,7 @@ class password extends rcube_plugin
break;
case 'smd5':
$salt = substr(pack('h*', md5(mt_rand())), 0, 8);
$salt = rcube_utils::random_bytes(8);
if (function_exists('mhash') && function_exists('mhash_keygen_s2k')) {
$salt = mhash_keygen_s2k(MHASH_MD5, $password, $salt, 4);
@ -653,22 +653,4 @@ class password extends rcube_plugin
return $crypted;
}
/**
* Used to generate a random salt for crypt-style passwords
*
* Code originaly from the phpLDAPadmin development team
* http://phpldapadmin.sourceforge.net/
*/
static function random_salt($length)
{
$possible = '0123456789abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ./';
$str = '';
while (strlen($str) < $length) {
$str .= substr($possible, (rand() % strlen($possible)), 1);
}
return $str;
}
}

2
program/lib/Roundcube/rcube_user.php
Unescape Escape View File

@ -252,7 +252,7 @@ class rcube_user
// generate a random hash and store it in user prefs
if (empty($prefs['client_hash'])) {
$prefs['client_hash'] = md5($this->data['username'] . mt_rand() . $this->data['mail_host']);
$prefs['client_hash'] = rcube_utils::random_bytes(16);
$this->save_prefs(array('client_hash' => $prefs['client_hash']));
}

Write Preview
Loading…
Cancel
Save