[Tickets #8425] Re: Poor salt generation for crypt-*

bugs at horde.org bugs at horde.org
Sat Jul 11 16:57:59 UTC 2009


DO NOT REPLY TO THIS MESSAGE. THIS EMAIL ADDRESS IS NOT MONITORED.

Ticket URL: http://bugs.horde.org/ticket/8425
------------------------------------------------------------------------------
  Ticket             | 8425
  Updated By         | Chuck Hagenbuch <chuck at horde.org>
  Summary            | Poor salt generation for crypt-*
  Queue              | Horde Framework Packages
-Version            | FRAMEWORK_3
+Version            | Git master
  Type               | Bug
-State              | Unconfirmed
+State              | Feedback
  Priority           | 2. Medium
  Milestone          |
  Patch              |
  Owners             |
------------------------------------------------------------------------------


Chuck Hagenbuch <chuck at horde.org> (2009-07-11 12:57) wrote:

I think the code has changed a bit in the latest version. I've got  
this for the crypt-md5 case:

diff --git a/framework/Auth/lib/Horde/Auth.php  
b/framework/Auth/lib/Horde/Auth.php
index 8a5695a..fce7771 100644
--- a/framework/Auth/lib/Horde/Auth.php
+++ b/framework/Auth/lib/Horde/Auth.php
@@ -266,7 +266,7 @@ class Horde_Auth
          case 'crypt-md5':
              return $seed
                  ? substr(preg_replace('|^{crypt}|i', '', $seed), 0, 12)
-                : '$1$' . substr(hash('md5', mt_rand()), 0, 8) . '$';
+                : '$1$' . base64_encode(hash('md5',  
sprintf('%08X%08X', mt_rand(), mt_rand()), true)) . '$';

          case 'crypt-blowfish':
              return $seed

What would you suggest for crypt and crypt-des? It's currently:

         case 'crypt':
         case 'crypt-des':
             return $seed
                 ? substr(preg_replace('|^{crypt}|i', '', $seed), 0, 2)
                 : substr(hash('md5', mt_rand()), 0, 2);

Thanks!






More information about the bugs mailing list