[Fusionforge-general] Review request: fixing password salts
Sylvain Beucler - Inria
sylvain.beucler at inria.fr
Mon Nov 16 16:57:21 CET 2015
Hi,
I had a deeper look at the password generation and noticed that:
- CRYPT-MD5 salt have a length of 2 while they can have up to 8 chars
(meaning you get salt duplicates when you have more than 4K users)
- Blowfish salt is invalid which results in DES3 hashes in the DB
- crypt(3) now accepts CRYPT-SHA-256/512 but FusionForge doesn't support it
(I suggest we default to SHA-512 in FF 6.1, like basically all
GNU/Linux distros)
The attached short patch hopefully addresses these issues. Test-case
included :)
It is intended for the stable 6.0 branch, and is security-sensitive,
hence I'm requesting your review :)
Notes: the code may not be optimal as is uses genchr() which requires
5-6x more entropy than needed.
Also I didn't modify genchr/util_randnum, which look a bit cryptic.
AFAICS these come from Evolvis, so,
Thorsten: is it still necessary to roll-out our own PRNG, or did PHP
improve since ?
Cheers!
Sylvain
-------------- section suivante --------------
Une pièce jointe autre que texte a été nettoyée...
Nom: salts.diff
Type: text/x-patch
Taille: 5458 octets
Desc: non disponible
URL: <http://lists.fusionforge.org/pipermail/fusionforge-general/attachments/20151116/427565ea/attachment.bin>
More information about the Fusionforge-general
mailing list