Bug #12801: User password hashes pseudo-random number generator may return insecure salt value - pfSense - pfSense bugtracker

Actions

Copy link

Bug #12801

closed

User password hashes pseudo-random number generator may return insecure salt value

Added by Viktor Gurov almost 3 years ago. Updated almost 2 years ago.

Status:

Resolved

Priority:

Normal

Assignee:

Viktor Gurov

Category:

Authentication

Target version:

2.7.0

Start date:

Due date:

% Done:

100%

Estimated time:

Plus Target Version:

22.05

Release Notes:

Default

Affected Version:

2.6.0

Affected Architecture:

Description

https://github.com/pfsense/pfsense/blob/master/src/etc/inc/auth.inc#L819:

$salt = substr(bin2hex(openssl_random_pseudo_bytes(16)),0,16);

openssl_random_pseudo_bytes(16) omits the strong_result parameter (null)

from https://www.php.net/manual/en/function.openssl-random-pseudo-bytes.php:

Parameters 

length
The length of the desired string of bytes. Must be a positive integer. 
PHP will try to cast this parameter to a non-null integer to use it.

strong_result
If passed into the function, this will hold a bool value that determines 
if the algorithm used was "cryptographically strong", e.g., safe for usage with GPG,
passwords, etc. true if it did, otherwise false

must be:
openssl_random_pseudo_bytes(16, true)

Actions

Copy link

Also available in: Atom PDF

Project

General

Profile

pfSense

Custom queries

Bug #12801

User password hashes pseudo-random number generator may return insecure salt value

Updated by Jim Pingle almost 3 years ago

Updated by Viktor Gurov almost 3 years ago

Updated by Jim Pingle almost 3 years ago

Updated by Viktor Gurov almost 3 years ago

Updated by Jim Pingle almost 3 years ago

Updated by Viktor Gurov almost 3 years ago

Updated by Jim Pingle over 2 years ago

Updated by Jim Pingle almost 2 years ago