[Fusionforge-general] Review request: fixing password salts

Sylvain Beucler - Inria sylvain.beucler at inria.fr
Mon Nov 16 16:57:21 CET 2015


Hi,

I had a deeper look at the password generation and noticed that:

- CRYPT-MD5 salt have a length of 2 while they can have up to 8 chars
   (meaning you get salt duplicates when you have more than 4K users)

- Blowfish salt is invalid which results in DES3 hashes in the DB

- crypt(3) now accepts CRYPT-SHA-256/512 but FusionForge doesn't support it
   (I suggest we default to SHA-512 in FF 6.1, like basically all 
GNU/Linux distros)

The attached short patch hopefully addresses these issues. Test-case 
included :)
It is intended for the stable 6.0 branch, and is security-sensitive, 
hence I'm requesting your review :)

Notes: the code may not be optimal as is uses genchr() which requires 
5-6x more entropy than needed.
Also I didn't modify genchr/util_randnum, which look a bit cryptic. 
AFAICS these come from Evolvis, so,
Thorsten: is it still necessary to roll-out our own PRNG, or did PHP 
improve since ?

Cheers!
Sylvain

-------------- section suivante --------------
Une pièce jointe autre que texte a été nettoyée...
Nom: salts.diff
Type: text/x-patch
Taille: 5458 octets
Desc: non disponible
URL: <http://lists.fusionforge.org/pipermail/fusionforge-general/attachments/20151116/427565ea/attachment.bin>


More information about the Fusionforge-general mailing list