Commit 95b919c0 authored by Max Kanat-Alexander's avatar Max Kanat-Alexander

Bug 619594: (CVE-2010-4568) [SECURITY] Improve the randomness of

generate_random_password, to protect against an account compromise issue and other critical vulnerabilities. r=LpSolit, a=LpSolit https://bugzilla.mozilla.org/show_bug.cgi?id=621591
parent ad1e3aef
...@@ -109,7 +109,9 @@ use constant LOCALCONFIG_VARS => ( ...@@ -109,7 +109,9 @@ use constant LOCALCONFIG_VARS => (
}, },
{ {
name => 'site_wide_secret', name => 'site_wide_secret',
default => sub { generate_random_password(256) }, # 64 characters is roughly the equivalent of a 384-bit key, which
# is larger than anybody would ever be able to brute-force.
default => sub { generate_random_password(64) },
}, },
); );
...@@ -210,7 +212,14 @@ sub update_localconfig { ...@@ -210,7 +212,14 @@ sub update_localconfig {
my @new_vars; my @new_vars;
foreach my $var (LOCALCONFIG_VARS) { foreach my $var (LOCALCONFIG_VARS) {
my $name = $var->{name}; my $name = $var->{name};
if (!defined $localconfig->{$name}) { my $value = $localconfig->{$name};
# Regenerate site_wide_secret if it was made by our old, weak
# generate_random_password. Previously we used to generate
# a 256-character string for site_wide_secret.
$value = undef if ($name eq 'site_wide_secret' and defined $value
and length($value) == 256);
if (!defined $value) {
push(@new_vars, $name); push(@new_vars, $name);
$var->{default} = &{$var->{default}} if ref($var->{default}) eq 'CODE'; $var->{default} = &{$var->{default}} if ref($var->{default}) eq 'CODE';
if (exists $answer->{$name}) { if (exists $answer->{$name}) {
......
...@@ -157,6 +157,12 @@ sub REQUIRED_MODULES { ...@@ -157,6 +157,12 @@ sub REQUIRED_MODULES {
module => 'List::MoreUtils', module => 'List::MoreUtils',
version => 0.22, version => 0.22,
}, },
{
package => 'Math-Random-Secure',
module => 'Math::Random::Secure',
# This is the first version that installs properly on Windows.
version => '0.05',
},
); );
my $extra_modules = _get_extension_requirements('REQUIRED_MODULES'); my $extra_modules = _get_extension_requirements('REQUIRED_MODULES');
......
...@@ -54,6 +54,7 @@ use DateTime::TimeZone; ...@@ -54,6 +54,7 @@ use DateTime::TimeZone;
use Digest; use Digest;
use Email::Address; use Email::Address;
use List::Util qw(first); use List::Util qw(first);
use Math::Random::Secure qw(irand);
use Scalar::Util qw(tainted); use Scalar::Util qw(tainted);
use Template::Filters; use Template::Filters;
use Text::Wrap; use Text::Wrap;
...@@ -535,9 +536,15 @@ sub bz_crypt { ...@@ -535,9 +536,15 @@ sub bz_crypt {
return $crypted_password; return $crypted_password;
} }
# If you want to understand the security of strings generated by this
# function, here's a quick formula that will help you estimate:
# We pick from 62 characters, which is close to 64, which is 2^6.
# So 8 characters is (2^6)^8 == 2^48 combinations. Just multiply 6
# by the number of characters you generate, and that gets you the equivalent
# strength of the string in bits.
sub generate_random_password { sub generate_random_password {
my $size = shift || 10; # default to 10 chars if nothing specified my $size = shift || 10; # default to 10 chars if nothing specified
return join("", map{ ('0'..'9','a'..'z','A'..'Z')[rand 62] } (1..$size)); return join("", map{ ('0'..'9','a'..'z','A'..'Z')[irand 62] } (1..$size));
} }
sub validate_email_syntax { sub validate_email_syntax {
......
...@@ -37,6 +37,7 @@ use lib Bugzilla::Constants::bz_locations()->{'ext_libpath'}; ...@@ -37,6 +37,7 @@ use lib Bugzilla::Constants::bz_locations()->{'ext_libpath'};
use Apache2::ServerUtil; use Apache2::ServerUtil;
use ModPerl::RegistryLoader (); use ModPerl::RegistryLoader ();
use File::Basename (); use File::Basename ();
use Math::Random::Secure;
# This loads most of our modules. # This loads most of our modules.
use Bugzilla (); use Bugzilla ();
...@@ -60,8 +61,12 @@ my $cgi_path = Bugzilla::Constants::bz_locations()->{'cgi_path'}; ...@@ -60,8 +61,12 @@ my $cgi_path = Bugzilla::Constants::bz_locations()->{'cgi_path'};
# Set up the configuration for the web server # Set up the configuration for the web server
my $server = Apache2::ServerUtil->server; my $server = Apache2::ServerUtil->server;
my $conf = <<EOT; my $conf = <<EOT;
# Make sure each httpd child receives a different random seed (bug 476622) # Make sure each httpd child receives a different random seed (bug 476622).
PerlChildInitHandler "sub { srand(); }" # Math::Random::Secure has one srand that needs to be called for
# every process, and Perl has another. (Various Perl modules still use
# the built-in rand(), even though we only use Math::Random::Secure in
# Bugzilla itself, so we need to srand() both of them.)
PerlChildInitHandler "sub { Math::Random::Secure::srand(); srand(); }"
<Directory "$cgi_path"> <Directory "$cgi_path">
AddHandler perl-script .cgi AddHandler perl-script .cgi
# No need to PerlModule these because they're already defined in mod_perl.pl # No need to PerlModule these because they're already defined in mod_perl.pl
......
Markdown is supported
0% or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment