Strengthen some crypto (#8061)

For login, tokens, nonces

app/Controllers/javascriptController.php

@@ -74,12 +74,11 @@ class FreshRSS_javascript_Controller extends FreshRSS_ActionController {
 		$user_conf = get_user_configuration($user);
 		if ($user_conf !== null) {
 			try {
-				$salt = FreshRSS_Context::systemConf()->salt;
 				$s = $user_conf->passwordHash;
 				if (strlen($s) >= 60) {
 					//CRYPT_BLOWFISH Salt: "$2a$", a two digit cost parameter, "$", and 22 characters from the alphabet "./0-9A-Za-z".
 					$this->view->salt1 = substr($s, 0, 29);
-					$this->view->nonce = sha1($salt . uniqid('' . mt_rand(), true));
+					$this->view->nonce = hash('sha256', FreshRSS_Context::systemConf()->salt . $user . random_bytes(32));
 					Minz_Session::_param('nonce', $this->view->nonce);
 					return;	//Success
 				}
@@ -95,7 +94,7 @@ class FreshRSS_javascript_Controller extends FreshRSS_ActionController {
 		for ($i = 22; $i > 0; $i--) {
 			$this->view->salt1 .= $alphabet[random_int(0, 63)];
 		}
-		$this->view->nonce = sha1('' . mt_rand());
+		$this->view->nonce = hash('sha256', 'failure' . rand());
 		Minz_Session::_param('nonce', $this->view->nonce);
 	}
 }

app/Controllers/userController.php

@@ -41,8 +41,7 @@ class FreshRSS_user_Controller extends FreshRSS_ActionController {
 			$userConfig->mail_login = $email;
 
 			if (FreshRSS_Context::systemConf()->force_email_validation) {
-				$salt = FreshRSS_Context::systemConf()->salt;
-				$userConfig->email_validation_token = sha1($salt . uniqid('' . mt_rand(), true));
+				$userConfig->email_validation_token = hash('sha256', FreshRSS_Context::systemConf()->salt . $email . random_bytes(32));
 				$mailer = new FreshRSS_User_Mailer();
 				$mailer->send_email_need_validation($user, $userConfig);
 			}

app/Models/Auth.php

@@ -217,8 +217,7 @@ class FreshRSS_Auth {
 	public static function csrfToken(): string {
 		$csrf = Minz_Session::paramString('csrf');
 		if ($csrf == '') {
-			$salt = FreshRSS_Context::systemConf()->salt;
-			$csrf = sha1($salt . uniqid('' . random_int(0, mt_getrandmax()), true));
+			$csrf = hash('sha256', FreshRSS_Context::systemConf()->salt . random_bytes(32));
 			Minz_Session::_param('csrf', $csrf);
 		}
 		return $csrf;

app/Models/FormAuth.php

@@ -52,7 +52,7 @@ class FreshRSS_FormAuth {
 
 	public static function makeCookie(string $username, string $password_hash): string|false {
 		do {
-			$token = sha1(FreshRSS_Context::systemConf()->salt . $username . uniqid('' . mt_rand(), true));
+			$token = hash('sha256', FreshRSS_Context::systemConf()->salt . $username . random_bytes(32));
 			$token_file = DATA_PATH . '/tokens/' . $token . '.txt';
 		} while (file_exists($token_file));
 

lib/lib_install.php

@@ -73,7 +73,7 @@ function checkRequirements(string $dbType = ''): array {
 }
 
 function generateSalt(): string {
-	return sha1(uniqid('' . mt_rand(), true) . implode('', stat(__FILE__) ?: []));
+	return hash('sha256', uniqid(more_entropy: true) . implode('', stat(__FILE__) ?: []) . random_bytes(32));
 }
 
 /**

p/f.php

@@ -39,7 +39,7 @@ $txt_mtime = @filemtime($txt) ?: 0;
 
 $is_custom_favicon = $ico_mtime != false && $txt_mtime == false;
 
-if (($ico_mtime == false || $ico_mtime < $txt_mtime || ($ico_mtime < time() - (mt_rand(15, 20) * 86400))) && !$is_custom_favicon) {
+if (($ico_mtime == false || $ico_mtime < $txt_mtime || ($ico_mtime < time() - (rand(15, 20) * 86400))) && !$is_custom_favicon) {
 	if ($txt_mtime == false) {
 		show_default_favicon(1800);
 		exit();
@@ -63,7 +63,7 @@ if (($ico_mtime == false || $ico_mtime < $txt_mtime || ($ico_mtime < time() - (m
 	}
 }
 
-if ($no_cache || !httpConditional($ico_mtime, mt_rand(14, 21) * 86400, 2)) {
+if ($no_cache || !httpConditional($ico_mtime, rand(14, 21) * 86400, 2)) {
 	$ico_content_type = contentType($ico);
 	header('Content-Type: ' . $ico_content_type);
 	header('Content-Disposition: inline; filename="' . $id . '.ico"');