[Rt-commit] rt branch, 4.2/bcrypt-passwords, updated. rt-4.1.19-33-ga844c43

Alex Vandiver alexmv at bestpractical.com
Tue Sep 3 15:43:02 EDT 2013


The branch, 4.2/bcrypt-passwords has been updated
       via  a844c4315b5da45d80c6a0fb090f2d39536a1f6d (commit)
      from  07ac7c51167a9427a2857fd4a09671ed8b9cab9c (commit)

Summary of changes:
 lib/RT/User.pm | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

- Log -----------------------------------------------------------------
commit a844c4315b5da45d80c6a0fb090f2d39536a1f6d
Author: Alex Vandiver <alexmv at bestpractical.com>
Date:   Tue Sep 3 15:31:57 2013 -0400

    SHA-512 passwords before passing to brypt for key derivation
    
    The bcrypt key derivation function only usese the first 72 bytes of the
    input; when used directly on a password, this effectively limits
    password length to 72 characters.
    
    Allow for arbitrarily long passwords by hashing the password using
    SHA-512 (which produces 512 bits, or 64 bytes, of output) before passing
    it to bcrypt.

diff --git a/lib/RT/User.pm b/lib/RT/User.pm
index 3e4c2de..2c25a23 100644
--- a/lib/RT/User.pm
+++ b/lib/RT/User.pm
@@ -897,7 +897,7 @@ sub _GeneratePassword_bcrypt {
         key_nul => 1,
         cost    => $rounds,
         salt    => $salt,
-    }, encode_utf8($password) );
+    }, Digest::SHA::sha512( encode_utf8($password) ) );
 
     return join("!", "", "bcrypt", sprintf("%02d", $rounds),
                 Crypt::Eksblowfish::Bcrypt::en_base64( $salt ).

-----------------------------------------------------------------------


More information about the Rt-commit mailing list