[rt-devel] [Rt-commit] rt branch, 4.2/bcrypt-passwords, updated. rt-4.1.19-33-ga844c43

Reed Loden reed at reedloden.com
Wed Sep 4 02:33:21 EDT 2013 

I had recommended SHA-256 based on the hexadecimal hash output being
used (basically, 256 bits being 32 bytes outputted as 64 characters of
hex), but I guess using the raw binary output from SHA-512 would work
fine, too. I just don't always trust things to handle binary data
well. :)

~reed

On Tue,  3 Sep 2013 15:43:02 -0400 (EDT)
alexmv at bestpractical.com (Alex Vandiver) wrote:

> The branch, 4.2/bcrypt-passwords has been updated
>        via  a844c4315b5da45d80c6a0fb090f2d39536a1f6d (commit)
>       from  07ac7c51167a9427a2857fd4a09671ed8b9cab9c (commit)
> 
> Summary of changes:
>  lib/RT/User.pm | 2 +-
>  1 file changed, 1 insertion(+), 1 deletion(-)
> 
> - Log -----------------------------------------------------------------
> commit a844c4315b5da45d80c6a0fb090f2d39536a1f6d
> Author: Alex Vandiver <alexmv at bestpractical.com>
> Date:   Tue Sep 3 15:31:57 2013 -0400
> 
>     SHA-512 passwords before passing to brypt for key derivation
>     
>     The bcrypt key derivation function only usese the first 72 bytes of the
>     input; when used directly on a password, this effectively limits
>     password length to 72 characters.
>     
>     Allow for arbitrarily long passwords by hashing the password using
>     SHA-512 (which produces 512 bits, or 64 bytes, of output) before passing
>     it to bcrypt.
> 
> diff --git a/lib/RT/User.pm b/lib/RT/User.pm
> index 3e4c2de..2c25a23 100644
> --- a/lib/RT/User.pm
> +++ b/lib/RT/User.pm
> @@ -897,7 +897,7 @@ sub _GeneratePassword_bcrypt {
>          key_nul => 1,
>          cost    => $rounds,
>          salt    => $salt,
> -    }, encode_utf8($password) );
> +    }, Digest::SHA::sha512( encode_utf8($password) ) );
>  
>      return join("!", "", "bcrypt", sprintf("%02d", $rounds),
>                  Crypt::Eksblowfish::Bcrypt::en_base64( $salt ).
> 
> -----------------------------------------------------------------------
> _______________________________________________
> Rt-commit mailing list
> Rt-commit at lists.bestpractical.com
> http://lists.bestpractical.com/cgi-bin/mailman/listinfo/rt-commit

More information about the rt-devel mailing list