Stronger server salt

sebsauvage · sebsauvage · commit a24212afda90 · 2014-02-06T22:33:55.000+01:00
ZeroBin now generates a much stronger salt. This fixes issue #68 (mentioned in section 2.1 of https://defuse.ca/audits/zerobin.htm)
diff --git a/lib/serversalt.php b/lib/serversalt.php
@@ -4,7 +4,14 @@
 function generateRandomSalt()
 {
     $randomSalt='';
-    for($i=0;$i<16;$i++) { $randomSalt.=base_convert(mt_rand(),10,16); }
+    if (function_exists("mcrypt_create_iv"))
+    {
+        $randomSalt = bin2hex(mcrypt_create_iv(256, MCRYPT_DEV_URANDOM));
+    }
+    else // fallback to mt_rand()
+    {
+        for($i=0;$i<16;$i++) { $randomSalt.=base_convert(mt_rand(),10,16); }
+    }
     return $randomSalt;
 }
 
diff --git a/lib/vizhash_gd_zero.php b/lib/vizhash_gd_zero.php
@@ -74,16 +74,7 @@ function generate($text)
         
         return $imagedata;
     } 
-    
-    // Generate a large random hexadecimal salt.
-    private function randomSalt()
-    {
-        $randomSalt='';
-        for($i=0;$i<6;$i++) { $randomSalt.=base_convert(mt_rand(),10,16); }
-        return $randomSalt;
-    }
-   
-    
+
     private function getInt() // Returns a single integer from the $VALUES array (0...255)
     {
         $v= $this->VALUES[$this->VALUES_INDEX]; 
