encrypt_pw: avoid '+' for crypt salt

And make salt less predictable.
2025-08-14 16:19:48 +00:00 · 2017-03-30 08:53:12 +02:00 · 2017-03-30 08:53:12 +02:00 · 54028297ea
commit 54028297ea
parent 0835385bea
1 changed files with 9 additions and 2 deletions
--- a/PVE/Auth/Plugin.pm
+++ b/PVE/Auth/Plugin.pm
@ -130,11 +130,18 @@ sub parse_tfa_config {
    return $res;
 }

+my $salt_starter = time();
+
 sub encrypt_pw {
    my ($pw) = @_;

-    my $time = substr(Digest::SHA::sha1_base64 (time), 0, 8);
-    return crypt(encode("utf8", $pw), "\$5\$$time\$");
+    $salt_starter++;
+    my $salt = substr(Digest::SHA::sha1_base64(time() + $salt_starter + $$), 0, 8);
+
+    # crypt does not want '+' in salt (see 'man crypt')
+    $salt =~ s/\+/X/g;
+
+    return crypt(encode("utf8", $pw), "\$5\$$salt\$");
 }

 my $defaultData = {