From 79dd8c728f29d35dc3f971cd936e164927002bde Mon Sep 17 00:00:00 2001 From: kink Date: Thu, 21 Aug 2008 12:16:20 +0000 Subject: [PATCH] rework seed generation: this is something that really belongs in init.php so do it there. Input enough random components from diferent dimensions, so hard to predict. git-svn-id: https://svn.code.sf.net/p/squirrelmail/code/trunk/squirrelmail@13268 7612ce4b-ef26-0410-bec9-ea0150e637f0 --- ChangeLog | 1 + functions/global.php | 1 - functions/strings.php | 81 ------------------------ include/init.php | 29 +++++++++ plugins/change_password/backend/ldap.php | 4 -- themes/darkness.php | 21 ++---- themes/greenhouse_effect.php | 6 -- themes/in_the_pink.php | 6 -- themes/kind_of_blue.php | 6 -- themes/monostochastic.php | 6 -- themes/random.php | 4 -- themes/shades_of_grey.php | 6 -- themes/spice_of_life.php | 6 -- themes/spice_of_life_dark.php | 6 -- themes/spice_of_life_lite.php | 6 -- 15 files changed, 37 insertions(+), 152 deletions(-) diff --git a/ChangeLog b/ChangeLog index 0c87ca9d..dae32fc8 100644 --- a/ChangeLog +++ b/ChangeLog @@ -261,6 +261,7 @@ Version 1.5.2 - SVN (third party) plugin. - Allow a different server address for the POP server to be configured when using POP before SMTP. + - Seed random number generator in one place during script init. Version 1.5.1 (branched on 2006-02-12) -------------------------------------- diff --git a/functions/global.php b/functions/global.php index a5c24d02..a54bcfe1 100644 --- a/functions/global.php +++ b/functions/global.php @@ -546,7 +546,6 @@ function sqsetcookie($sName,$sValue='deleted',$iExpire=0,$sPath="",$sDomain="",$ if (!function_exists('session_regenerate_id')) { function php_combined_lcg() { - sq_mt_randomize(); $tv = gettimeofday(); $lcg['s1'] = $tv['sec'] ^ (~$tv['usec']); $lcg['s2'] = mt_rand(); diff --git a/functions/strings.php b/functions/strings.php index 9383d83d..61f88dfa 100644 --- a/functions/strings.php +++ b/functions/strings.php @@ -635,83 +635,6 @@ function OneTimePadDecrypt ($string, $epad) { return $decrypted; } - -/** - * Randomizes the mt_rand() function. - * - * Toss this in strings or integers and it will seed the generator - * appropriately. With strings, it is better to get them long. - * Use md5() to lengthen smaller strings. - * - * @param mixed $val a value to seed the random number generator. mixed = integer or string. - * @return void - * @since 1.0 - */ -function sq_mt_seed($Val) { - /* if mt_getrandmax() does not return a 2^n - 1 number, - this might not work well. This uses $Max as a bitmask. */ - $Max = mt_getrandmax(); - - if (! is_int($Val)) { - $Val = crc32($Val); - } - - if ($Val < 0) { - $Val *= -1; - } - - if ($Val == 0) { - return; - } - - mt_srand(($Val ^ mt_rand(0, $Max)) & $Max); -} - - -/** - * Init random number generator - * - * This function initializes the random number generator fairly well. - * It also only initializes it once, so you don't accidentally get - * the same 'random' numbers twice in one session. - * - * @return void - * @since 1.0 - */ -function sq_mt_randomize() { - static $randomized; - - if ($randomized) { - return; - } - - /* Global. */ - sqgetGlobalVar('REMOTE_PORT', $remote_port, SQ_SERVER); - sqgetGlobalVar('REMOTE_ADDR', $remote_addr, SQ_SERVER); - sq_mt_seed((int)((double) microtime() * 1000000)); - sq_mt_seed(md5($remote_port . $remote_addr . getmypid())); - - /* getrusage */ - if (function_exists('getrusage')) { - /* Avoid warnings with Win32 */ - $dat = @getrusage(); - if (isset($dat) && is_array($dat)) { - $Str = ''; - foreach ($dat as $k => $v) - { - $Str .= $k . $v; - } - sq_mt_seed(md5($Str)); - } - } - - if(sqgetGlobalVar('UNIQUE_ID', $unique_id, SQ_SERVER)) { - sq_mt_seed(md5($unique_id)); - } - - $randomized = 1; -} - /** * Creates encryption key * @@ -724,8 +647,6 @@ function sq_mt_randomize() { * @since 1.0 */ function OneTimePadCreate ($length=100) { - sq_mt_randomize(); - $pad = ''; for ($i = 0; $i < $length; $i++) { $pad .= chr(mt_rand(0,255)); @@ -789,8 +710,6 @@ function GenerateRandomString($size, $chars, $flags = 0) { return ''; } - sq_mt_randomize(); /* Initialize the random number generator */ - $String = ''; $j = strlen( $chars ) - 1; while (strlen($String) < $size) { diff --git a/include/init.php b/include/init.php index 38992393..166967aa 100644 --- a/include/init.php +++ b/include/init.php @@ -87,6 +87,35 @@ if (!(bool)ini_get('session.use_cookies') || ini_set('session.use_cookies','1'); } +/** + * Initialize seed of random number generator. + * We use a number of things to randomize input: current time in ms, + * info about the remote client, info about the current process, the + * randomness of uniqid and stat of the current file. + * + * We seed this here only once per init, not only to save cycles + * but also to make the result of mt_rand more random (it now also + * depends on the number of times mt_rand was called before in this + * execution. + */ +$seed = microtime() . $_SERVER['REMOTE_PORT'] . $_SERVER['REMOTE_ADDR'] . getmypid(); + +if (function_exists('getrusage')) { + /* Avoid warnings with Win32 */ + $dat = @getrusage(); + if (isset($dat) && is_array($dat)) { $seed .= implode('', $dat); } +} + +if(!empty($_SERVER['UNIQUE_ID'])) { + $seed .= $_SERVER['UNIQUE_ID']; +} + +$seed .= uniqid(mt_rand(),TRUE); +$seed .= implode( '', stat( __FILE__) ); + +/** PHP 4.2 and up don't require seeding, but their used seed algorithm + * is of questionable quality, so we keep doing it ourselves. */ +mt_srand(hexdec(md5($seed))); /** * calculate SM_PATH and calculate the base_uri diff --git a/plugins/change_password/backend/ldap.php b/plugins/change_password/backend/ldap.php index a947ba0d..dbf57618 100644 --- a/plugins/change_password/backend/ldap.php +++ b/plugins/change_password/backend/ldap.php @@ -550,11 +550,9 @@ function cpw_ldap_password_hash($pass,$crypto,&$msgs,$forced_salt='') { case 'smd5': // minimal requirement = mhash extension with md5 support and php 4.0.4. if( function_exists( 'mhash' ) && function_exists( 'mhash_keygen_s2k' ) && defined('MHASH_MD5')) { - sq_mt_seed( (double) microtime() * 1000000 ); if ($forced_salt!='') { $salt=$forced_salt; } else { - sq_mt_randomize(); $salt = mhash_keygen_s2k( MHASH_MD5, $pass, substr( pack( "h*", md5( mt_rand() ) ), 0, 8 ), 4 ); } $ret = "{SMD5}".base64_encode( mhash( MHASH_MD5, $pass.$salt ).$salt ); @@ -591,11 +589,9 @@ function cpw_ldap_password_hash($pass,$crypto,&$msgs,$forced_salt='') { case 'ssha': // minimal requirement = mhash extension and php 4.0.4 if( function_exists( 'mhash' ) && function_exists( 'mhash_keygen_s2k' ) && defined('MHASH_SHA1')) { - sq_mt_seed( (double) microtime() * 1000000 ); if ($forced_salt!='') { $salt=$forced_salt; } else { - sq_mt_randomize(); $salt = mhash_keygen_s2k( MHASH_SHA1, $pass, substr( pack( "h*", md5( mt_rand() ) ), 0, 8 ), 4 ); } $ret = "{SSHA}".base64_encode( mhash( MHASH_SHA1, $pass.$salt ).$salt ); diff --git a/themes/darkness.php b/themes/darkness.php index 8dac3df6..b7ca509e 100755 --- a/themes/darkness.php +++ b/themes/darkness.php @@ -12,17 +12,13 @@ * @subpackage themes */ -/** - * Load up the usual suspects.. */ -require_once(SM_PATH . 'functions/strings.php'); - - // Note: The text distance is actually pre-squared - // Background range is from 24-64, all three colors are the same - // Text range is from 196 to 255 - $BackgroundTargetDistance = 12; - $BackgroundAdjust = 1; - $TextTargetDistance = 65536; - $TextAdjust = 0.95; +// Note: The text distance is actually pre-squared +// Background range is from 24-64, all three colors are the same +// Text range is from 196 to 255 +$BackgroundTargetDistance = 12; +$BackgroundAdjust = 1; +$TextTargetDistance = 65536; +$TextAdjust = 0.95; function IsUnique($Distance, $r, $g, $b, $usedArray) { @@ -74,9 +70,6 @@ global $squirrelmail_plugin_hooks; $squirrelmail_plugin_hooks['generic_header']['theme_darkness'] = 'Darkness_HeaderPlugin'; -/** seed the random number generator **/ -sq_mt_randomize(); - $color[3] = '#000000'; $color[4] = '#000000'; $used = array(0); diff --git a/themes/greenhouse_effect.php b/themes/greenhouse_effect.php index e524d36b..c6a751ca 100755 --- a/themes/greenhouse_effect.php +++ b/themes/greenhouse_effect.php @@ -19,12 +19,6 @@ if (isset($_SERVER['SCRIPT_FILENAME']) && $_SERVER['SCRIPT_FILENAME'] == __FILE_ die(); } -/** load sq_mt_randomize() */ -include_once(SM_PATH . 'functions/strings.php'); - -/** seed the random number generator **/ -sq_mt_randomize(); - for ($i = 0; $i <= 16; $i++) { /* background/foreground toggle **/ if ($i == 0 || $i == 3 || $i == 4 || $i == 5 diff --git a/themes/in_the_pink.php b/themes/in_the_pink.php index d2db4fad..8ac1020d 100755 --- a/themes/in_the_pink.php +++ b/themes/in_the_pink.php @@ -20,12 +20,6 @@ if (isset($_SERVER['SCRIPT_FILENAME']) && $_SERVER['SCRIPT_FILENAME'] == __FILE_ die(); } -/** load sq_mt_randomize() */ -include_once(SM_PATH . 'functions/strings.php'); - -/* seed the random number generator */ -sq_mt_randomize(); - for ($i = 0; $i <= 16; $i++) { /* background/foreground toggle */ if ($i == 0 or $i == 3 or $i == 4 or $i == 5 or $i == 9 or $i == 10 or $i == 12 or $i == 16) { diff --git a/themes/kind_of_blue.php b/themes/kind_of_blue.php index 630b255a..022d093c 100755 --- a/themes/kind_of_blue.php +++ b/themes/kind_of_blue.php @@ -20,12 +20,6 @@ if (isset($_SERVER['SCRIPT_FILENAME']) && $_SERVER['SCRIPT_FILENAME'] == __FILE_ die(); } -/** load sq_mt_randomize() */ -include_once(SM_PATH . 'functions/strings.php'); - -/** seed the random number generator */ -sq_mt_randomize(); - for ($i = 0; $i <= 16; $i++) { /* background/foreground toggle */ if ($i == 0 or $i == 3 or $i == 4 or $i == 5 or $i == 9 or $i == 10 or $i == 12 or $i == 16) { diff --git a/themes/monostochastic.php b/themes/monostochastic.php index 2cc37c0f..fd7f1820 100755 --- a/themes/monostochastic.php +++ b/themes/monostochastic.php @@ -20,12 +20,6 @@ if (isset($_SERVER['SCRIPT_FILENAME']) && $_SERVER['SCRIPT_FILENAME'] == __FILE_ die(); } -/** load sq_mt_randomize() */ -include_once(SM_PATH . 'functions/strings.php'); - -/** seed the random number generator */ -sq_mt_randomize(); - /** light(1) or dark(0) background toggle **/ $bg = mt_rand(0,1); diff --git a/themes/random.php b/themes/random.php index 2064b78d..af6793a2 100755 --- a/themes/random.php +++ b/themes/random.php @@ -20,10 +20,6 @@ if (isset($_SERVER['SCRIPT_FILENAME']) && $_SERVER['SCRIPT_FILENAME'] == __FILE_ /** load required functions */ include_once(SM_PATH . 'functions/global.php'); -include_once(SM_PATH . 'functions/strings.php'); - -/** Initialize the random number generator */ -sq_mt_randomize(); global $theme; diff --git a/themes/shades_of_grey.php b/themes/shades_of_grey.php index 83e5a62a..b5e20541 100755 --- a/themes/shades_of_grey.php +++ b/themes/shades_of_grey.php @@ -19,12 +19,6 @@ if (isset($_SERVER['SCRIPT_FILENAME']) && $_SERVER['SCRIPT_FILENAME'] == __FILE_ die(); } -/** load sq_mt_randomize() */ -include_once(SM_PATH . 'functions/strings.php'); - -/** seed the random number generator */ -sq_mt_randomize(); - for ($i = 0; $i <= 16; $i++) { /* background/foreground toggle */ if ($i == 0 or $i == 3 or $i == 4 or $i == 5 or $i == 9 or $i == 10 or $i == 12 or $i == 16) { diff --git a/themes/spice_of_life.php b/themes/spice_of_life.php index 217e5e57..235be941 100755 --- a/themes/spice_of_life.php +++ b/themes/spice_of_life.php @@ -19,12 +19,6 @@ if (isset($_SERVER['SCRIPT_FILENAME']) && $_SERVER['SCRIPT_FILENAME'] == __FILE_ die(); } -/** load sq_mt_randomize() */ -include_once(SM_PATH . 'functions/strings.php'); - -/** seed the random number generator **/ -sq_mt_randomize(); - /** light(1) or dark(0) background? **/ $bg = mt_rand(0,1); diff --git a/themes/spice_of_life_dark.php b/themes/spice_of_life_dark.php index 1e852470..d061f4f1 100755 --- a/themes/spice_of_life_dark.php +++ b/themes/spice_of_life_dark.php @@ -19,12 +19,6 @@ if (isset($_SERVER['SCRIPT_FILENAME']) && $_SERVER['SCRIPT_FILENAME'] == __FILE_ die(); } -/** load sq_mt_randomize() */ -include_once(SM_PATH . 'functions/strings.php'); - -/** seed the random number generator **/ -sq_mt_randomize(); - for ($i = 0; $i <= 16; $i++) { /** background/foreground toggle **/ if ($i == 0 or $i == 3 or $i == 4 or $i == 5 or $i == 9 or $i == 10 or $i == 12 or $i == 16) { diff --git a/themes/spice_of_life_lite.php b/themes/spice_of_life_lite.php index 0ca4e5f2..1ba89ffd 100755 --- a/themes/spice_of_life_lite.php +++ b/themes/spice_of_life_lite.php @@ -19,12 +19,6 @@ if (isset($_SERVER['SCRIPT_FILENAME']) && $_SERVER['SCRIPT_FILENAME'] == __FILE_ die(); } -/** load sq_mt_randomize() */ -include_once(SM_PATH . 'functions/strings.php'); - -/** seed the random number generator **/ -sq_mt_randomize(); - for ($i = 0; $i <= 16; $i++) { /** background/foreground toggle **/ if ($i == 0 or $i == 3 or $i == 4 or $i == 5 or $i == 9 or $i == 10 or $i == 12 or $i == 16) { -- 2.25.1