[Tickets #8425] Re: Poor salt generation for crypt-*
bugs at horde.org
bugs at horde.org
Sat Jul 11 16:57:59 UTC 2009
DO NOT REPLY TO THIS MESSAGE. THIS EMAIL ADDRESS IS NOT MONITORED.
Ticket URL: http://bugs.horde.org/ticket/8425
------------------------------------------------------------------------------
Ticket | 8425
Updated By | Chuck Hagenbuch <chuck at horde.org>
Summary | Poor salt generation for crypt-*
Queue | Horde Framework Packages
-Version | FRAMEWORK_3
+Version | Git master
Type | Bug
-State | Unconfirmed
+State | Feedback
Priority | 2. Medium
Milestone |
Patch |
Owners |
------------------------------------------------------------------------------
Chuck Hagenbuch <chuck at horde.org> (2009-07-11 12:57) wrote:
I think the code has changed a bit in the latest version. I've got
this for the crypt-md5 case:
diff --git a/framework/Auth/lib/Horde/Auth.php
b/framework/Auth/lib/Horde/Auth.php
index 8a5695a..fce7771 100644
--- a/framework/Auth/lib/Horde/Auth.php
+++ b/framework/Auth/lib/Horde/Auth.php
@@ -266,7 +266,7 @@ class Horde_Auth
case 'crypt-md5':
return $seed
? substr(preg_replace('|^{crypt}|i', '', $seed), 0, 12)
- : '$1$' . substr(hash('md5', mt_rand()), 0, 8) . '$';
+ : '$1$' . base64_encode(hash('md5',
sprintf('%08X%08X', mt_rand(), mt_rand()), true)) . '$';
case 'crypt-blowfish':
return $seed
What would you suggest for crypt and crypt-des? It's currently:
case 'crypt':
case 'crypt-des':
return $seed
? substr(preg_replace('|^{crypt}|i', '', $seed), 0, 2)
: substr(hash('md5', mt_rand()), 0, 2);
Thanks!
More information about the bugs
mailing list