From b21de28bb70117d9bfe73efeb7d6bb5691b043e5 Mon Sep 17 00:00:00 2001 From: Leigh Date: Tue, 5 Jul 2016 16:02:34 +0100 Subject: [PATCH] Fix some insecure usages of php_rand --- ext/soap/php_http.c | 8 ++++++-- ext/standard/crypt.c | 10 +++------- 2 files changed, 9 insertions(+), 9 deletions(-) diff --git a/ext/soap/php_http.c b/ext/soap/php_http.c index ee8514b11e..dd87ec1214 100644 --- a/ext/soap/php_http.c +++ b/ext/soap/php_http.c @@ -22,7 +22,7 @@ #include "php_soap.h" #include "ext/standard/base64.h" #include "ext/standard/md5.h" -#include "ext/standard/php_rand.h" +#include "ext/standard/php_random.h" static char *get_http_header_value(char *headers, char *type); static zend_string *get_http_body(php_stream *socketd, int close, char *headers); @@ -639,11 +639,15 @@ try_again: if ((digest = zend_hash_str_find(Z_OBJPROP_P(this_ptr), "_digest", sizeof("_digest")-1)) != NULL) { if (Z_TYPE_P(digest) == IS_ARRAY) { char HA1[33], HA2[33], response[33], cnonce[33], nc[9]; + zend_long nonce; PHP_MD5_CTX md5ctx; unsigned char hash[16]; + php_random_bytes_throw(&nonce, sizeof(nonce)); + nonce &= 0x7fffffff; + PHP_MD5Init(&md5ctx); - snprintf(cnonce, sizeof(cnonce), ZEND_LONG_FMT, php_rand()); + snprintf(cnonce, sizeof(cnonce), ZEND_LONG_FMT, nonce); PHP_MD5Update(&md5ctx, (unsigned char*)cnonce, strlen(cnonce)); PHP_MD5Final(hash, &md5ctx); make_digest(cnonce, hash); diff --git a/ext/standard/crypt.c b/ext/standard/crypt.c index 9249d9d96b..3604e19b02 100644 --- a/ext/standard/crypt.c +++ b/ext/standard/crypt.c @@ -54,15 +54,12 @@ #include #endif -#include "php_lcg.h" #include "php_crypt.h" -#include "php_rand.h" +#include "php_random.h" /* sha512 crypt has the maximal salt length of 123 characters */ #define PHP_MAX_SALT_LEN 123 -#define PHP_CRYPT_RAND php_rand() - /* Used to check DES salts to ensure that they contain only valid characters */ #define IS_VALID_SALT_CHARACTER(c) (((c) >= '.' && (c) <= '9') || ((c) >= 'A' && (c) <= 'Z') || ((c) >= 'a' && (c) <= 'z')) @@ -266,9 +263,8 @@ PHP_FUNCTION(crypt) /* The automatic salt generation covers standard DES, md5-crypt and Blowfish (simple) */ if (!*salt) { - strncpy(salt, "$1$", PHP_MAX_SALT_LEN); - php_to64(&salt[3], PHP_CRYPT_RAND, 4); - php_to64(&salt[7], PHP_CRYPT_RAND, 4); + strncpy(salt, "$1$", 3); + php_random_bytes_throw(&salt[3], 8); strncpy(&salt[11], "$", PHP_MAX_SALT_LEN - 11); salt_in_len = strlen(salt); } else { -- 2.50.1