From: Dietmar Maurer <dietmar@proxmox.com>
Date: Thu, 30 Mar 2017 06:53:12 +0000 (+0200)
Subject: encrypt_pw: avoid '+' for crypt salt
X-Git-Url: https://git.proxmox.com/?p=pve-access-control.git;a=commitdiff_plain;h=54028297ea98e9f17ffaefeb2fa22723ed0bceb0;hp=0835385bea89e7d8eebdb79af5f2c15f2beadb05

encrypt_pw: avoid '+' for crypt salt

And make salt less predictable.
---

diff --git a/PVE/Auth/Plugin.pm b/PVE/Auth/Plugin.pm
index 6b0298c..3356f69 100755
--- a/PVE/Auth/Plugin.pm
+++ b/PVE/Auth/Plugin.pm
@@ -130,11 +130,18 @@ sub parse_tfa_config {
     return $res;
 }
 
+my $salt_starter = time();
+
 sub encrypt_pw {
     my ($pw) = @_;
 
-    my $time = substr(Digest::SHA::sha1_base64 (time), 0, 8);
-    return crypt(encode("utf8", $pw), "\$5\$$time\$");
+    $salt_starter++;
+    my $salt = substr(Digest::SHA::sha1_base64(time() + $salt_starter + $$), 0, 8);
+
+    # crypt does not want '+' in salt (see 'man crypt')
+    $salt =~ s/\+/X/g;
+
+    return crypt(encode("utf8", $pw), "\$5\$$salt\$");
 }
 
 my $defaultData = {