Stronger server salt

ZeroBin now generates a much stronger salt. This fixes issue sebsauvage#68 (mentioned in section 2.1 of https://defuse.ca/audits/zerobin.htm)
fpunktk · Feb 6, 2014 · a24212a · a24212a
1 parent 09d39a9
commit a24212a
Show file tree

Hide file tree

Showing 2 changed files with 9 additions and 11 deletions.
diff --git a/lib/serversalt.php b/lib/serversalt.php
@@ -4,7 +4,14 @@
 function generateRandomSalt()
 {
     $randomSalt='';
-    for($i=0;$i<16;$i++) { $randomSalt.=base_convert(mt_rand(),10,16); }
+    if (function_exists("mcrypt_create_iv"))
+    {
+        $randomSalt = bin2hex(mcrypt_create_iv(256, MCRYPT_DEV_URANDOM));
+    }
+    else // fallback to mt_rand()
+    {
+        for($i=0;$i<16;$i++) { $randomSalt.=base_convert(mt_rand(),10,16); }
+    }
     return $randomSalt;
 }
 

diff --git a/lib/vizhash_gd_zero.php b/lib/vizhash_gd_zero.php
@@ -74,16 +74,7 @@ function generate($text)
 
         return $imagedata;
     } 
-
-    // Generate a large random hexadecimal salt.
-    private function randomSalt()
-    {
-        $randomSalt='';
-        for($i=0;$i<6;$i++) { $randomSalt.=base_convert(mt_rand(),10,16); }
-        return $randomSalt;
-    }
-
-
+
     private function getInt() // Returns a single integer from the $VALUES array (0...255)
     {
         $v= $this->VALUES[$this->VALUES_INDEX];