From: Mikael Nordfeldth Date: Mon, 21 Oct 2013 11:16:03 +0000 (+0200) Subject: Generate better salt for crypt() X-Git-Url: https://git.mxchange.org/?a=commitdiff_plain;h=7233869298e57a929c14deb52acb96ccdfda57a5;p=quix0rs-gnu-social.git Generate better salt for crypt() --- diff --git a/plugins/AuthCrypt/AuthCryptPlugin.php b/plugins/AuthCrypt/AuthCryptPlugin.php index 26366879e6..560df10559 100644 --- a/plugins/AuthCrypt/AuthCryptPlugin.php +++ b/plugins/AuthCrypt/AuthCryptPlugin.php @@ -49,7 +49,7 @@ class AuthCryptPlugin extends AuthenticationPlugin return false; } - // crypt cuts the second parameter to its appropriate length based on hash scheme + // crypt understands what the salt part of $user->password is if ($user->password === crypt($password, $user->password)) { return $user; } @@ -66,6 +66,18 @@ class AuthCryptPlugin extends AuthenticationPlugin return false; } + protected function cryptSalt($len=CRYPT_SALT_LENGTH) + { + $chars = "./0123456789ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz"; + $salt = ''; + + for ($i=0; $i<$len; $i++) { + $salt .= $chars{mt_rand(0, strlen($chars)-1)}; + } + + return $salt; + } + // $oldpassword is already verified when calling this function... shouldn't this be private?! function changePassword($username, $oldpassword, $newpassword) { @@ -87,8 +99,7 @@ class AuthCryptPlugin extends AuthenticationPlugin public function hashPassword($password, Profile $profile=null) { // A new, unique salt per new record stored... - // TODO: common_good_rand should be more diverse than hexdec - return crypt($password, $this->hash . common_good_rand(CRYPT_SALT_LENGTH)); + return crypt($password, $this->hash . self::cryptSalt()); } /*