From 9b394648f35965c5b6e18a8ff12af25d73866f7a Mon Sep 17 00:00:00 2001
From: Martin Zobel-Helas <zobel@debian.org>
Date: Fri, 9 Mar 2012 12:47:38 +0100
Subject: [PATCH] Better salt Signed-off-by: Martin Zobel-Helas
 <zobel@debian.org>

---
 Util.pm    | 16 ++++++++++++++++
 update.cgi |  2 +-
 2 files changed, 17 insertions(+), 1 deletion(-)

diff --git a/Util.pm b/Util.pm
index 001de37..f6be1ed 100644
--- a/Util.pm
+++ b/Util.pm
@@ -50,6 +50,22 @@ sub CreateCryptSalt {
   return ($md5 ? "\$1\$$out\$" : $out);
 }
 
+sub CreateMD5Salt {
+  my $validstr = './0123456789abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ';
+  my @valid = split(//,$validstr);
+  my ($in, $out);
+  
+  my $cryptsaltlen = 8;
+  
+  open (F, "</dev/urandom") || die &HTMLError("No /dev/urandom found!");
+  foreach (1..$cryptsaltlen) {
+    read(F, $in, 1);
+    $out .= $valid[ord($in) % ($#valid + 1)];
+  }
+  close F;
+  return $out;
+}
+
 sub Encrypt { 
   # blowfish only encrypts things in blocks of 8 bytes, so we
   # need a custom routine that handles longer strings....
diff --git a/update.cgi b/update.cgi
index 13d847b..d7749d8 100755
--- a/update.cgi
+++ b/update.cgi
@@ -249,7 +249,7 @@ if (!($query->param('doupdate'))) {
     }
 
     # create a md5 crypted password
-    $newwebpassword = apache_md5_crypt($query->param('newwebpass'), &Util::CreateCryptSalt());
+    $newwebpassword = apache_md5_crypt($query->param('newwebpass'), &Util::CreateMD5Salt());
     
     &Util::LDAPUpdate($ldap, $editdn, 'webPassword', $newwebpassword);
   }  
-- 
2.20.1