[Rt-commit] rt branch, 4.2/bcrypt-passwords, updated. rt-4.1.19-33-ga844c43
Alex Vandiver
alexmv at bestpractical.com
Tue Sep 3 15:43:02 EDT 2013
The branch, 4.2/bcrypt-passwords has been updated
via a844c4315b5da45d80c6a0fb090f2d39536a1f6d (commit)
from 07ac7c51167a9427a2857fd4a09671ed8b9cab9c (commit)
Summary of changes:
lib/RT/User.pm | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
- Log -----------------------------------------------------------------
commit a844c4315b5da45d80c6a0fb090f2d39536a1f6d
Author: Alex Vandiver <alexmv at bestpractical.com>
Date: Tue Sep 3 15:31:57 2013 -0400
SHA-512 passwords before passing to brypt for key derivation
The bcrypt key derivation function only usese the first 72 bytes of the
input; when used directly on a password, this effectively limits
password length to 72 characters.
Allow for arbitrarily long passwords by hashing the password using
SHA-512 (which produces 512 bits, or 64 bytes, of output) before passing
it to bcrypt.
diff --git a/lib/RT/User.pm b/lib/RT/User.pm
index 3e4c2de..2c25a23 100644
--- a/lib/RT/User.pm
+++ b/lib/RT/User.pm
@@ -897,7 +897,7 @@ sub _GeneratePassword_bcrypt {
key_nul => 1,
cost => $rounds,
salt => $salt,
- }, encode_utf8($password) );
+ }, Digest::SHA::sha512( encode_utf8($password) ) );
return join("!", "", "bcrypt", sprintf("%02d", $rounds),
Crypt::Eksblowfish::Bcrypt::en_base64( $salt ).
-----------------------------------------------------------------------
More information about the Rt-commit
mailing list