Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
Issue #10730: Use crypto_api for generating nonces and improve hashing
A new Crypto API function crypto_generate_uri_safe_nonce has been added which generates base64 encoded URI safe alphabet nonces according to RFC4648. This nonce creation function can thus be used throughout MantisBT where we need a random nonce. The primary use at the moment is with form_api tokens. Hashing throughout the codebase has been improved to use the newly implemented $g_crypto_master_salt configuration option. This deprecates a number of older salt configuration options as we now derive salts from the master salt as needed. The Whirlpool hashing function is used to generate stronger hashes (instead of the original md5 hashing that is now deprecated). RSS keys, cookie strings, lost password confirmation hashes, CAPTCHA keys, form CSRF tokens and so forth have all been upgraded to make use of the new Crypto API infrastructure and better hashing/salting methods.
- Loading branch information
1 parent
045a897
commit eb56236
Showing
11 changed files
with
80 additions
and
75 deletions.
There are no files selected for viewing
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters