Fix #14087: Installation: create a cryptographically secure master salt

davidhicks · davidhicks · commit caf21ad4f13b · 2012-05-06T16:38:21.000+10:00
Commit 3f0f379 automatically generated a value for $g_crypto_master_salt during installation based on a very weak mechanism -- an MD5 hash of the current server time. This commit correctly generates a 256bit cryptographically secure salt instead, based on a much stronger source of randomness such as OpenSSL's PRNG or /dev/urandom on Linux systems. When a secure salt cannot be generated the user will need to manually define $g_crypto_master_salt post installation. Carriage return characters have also been removed from the default generated config_inc.php file. These characters are redundant and do not match the line termination standard used throughout MantisBT's code base.
diff --git a/admin/install.php b/admin/install.php
@@ -33,6 +33,7 @@
 
 @require_once( dirname( dirname( __FILE__ ) ) . DIRECTORY_SEPARATOR . 'core.php' );
 require_api( 'install_helper_functions_api.php' );
+require_api( 'crypto_api.php' );
 $g_error_send_page_header = false; # bypass page headers in error handler
 
 $g_failed = false;
@@ -712,7 +713,7 @@ function InsertData( $p_table, $p_data ) {
 			if( $f_log_queries ) {
 				if( $t_sql ) {
 					foreach( $sqlarray as $sql ) {
-						echo htmlentities( $sql ) . ";\r\n\r\n";
+						echo htmlentities( $sql ) . ";\n\n";
 					}
 				}
 			} else {
@@ -741,7 +742,7 @@ function InsertData( $p_table, $p_data ) {
 		}
 		if( $f_log_queries ) {
 			# add a query to set the database version
-			echo 'INSERT INTO ' . db_get_table( 'config' ) . ' ( value, type, access_reqd, config_id, project_id, user_id ) VALUES (\'' . $lastid . '\', 1, 90, \'database_version\', 0, 0 );' . "\r\n";
+			echo 'INSERT INTO ' . db_get_table( 'config' ) . ' ( value, type, access_reqd, config_id, project_id, user_id ) VALUES (\'' . $lastid . '\', 1, 90, \'database_version\', 0, 0 );' . "\n";
 			echo '</pre><br /><p style="color:red">Your database has not been created yet. Please create the database, then install the tables and data using the information above before proceeding.</p></td></tr>';
 		}
 	}
@@ -801,22 +802,28 @@ function InsertData( $p_table, $p_data ) {
 	?>
 	</td>
 	<?php
-		$t_config = '<?php' . "\r\n";
-	$t_config .= "\t\$g_hostname = '$f_hostname';\r\n";
-	$t_config .= "\t\$g_db_type = '$f_db_type';\r\n";
-	$t_config .= "\t\$g_database_name = '$f_database_name';\r\n";
-	$t_config .= "\t\$g_db_username = '$f_db_username';\r\n";
-	$t_config .= "\t\$g_db_password = '$f_db_password';\r\n";
+	$t_config = '<?php' . "\n";
+	$t_config .= "\t\$g_hostname = '$f_hostname';\n";
+	$t_config .= "\t\$g_db_type = '$f_db_type';\n";
+	$t_config .= "\t\$g_database_name = '$f_database_name';\n";
+	$t_config .= "\t\$g_db_username = '$f_db_username';\n";
+	$t_config .= "\t\$g_db_password = '$f_db_password';\n";
 
 	if( $f_db_type == 'db2' ) {
-		$t_config .= "\t\$g_db_schema = '$f_db_schema';\r\n";
+		$t_config .= "\t\$g_db_schema = '$f_db_schema';\n";
 	}
 
-	$t_config .= "\r\n";
-
-    # generate a crypto salt based on time of installation.
-    $t_crypto_master_salt = md5((string)time());
-    $t_config .= "\t\$g_crypto_master_salt = '$t_crypto_master_salt';\r\n";
+	$t_config .= "\n";
+
+    /* Automatically generate a strong master salt/nonce for MantisBT
+     * cryptographic purposes. If a strong source of randomness is not
+     * available the user will have to manually set this value post
+     * installation.
+     */
+    $t_crypto_master_salt = crypto_generate_random_string(32);
+    if ($t_crypto_master_salt !== null) {
+    	$t_config .= "\t\$g_crypto_master_salt = '$t_crypto_master_salt';\n";
+    }
 
     $t_write_failed = true;
 
