summaryrefslogtreecommitdiffstats
path: root/Bugzilla
diff options
context:
space:
mode:
Diffstat (limited to 'Bugzilla')
-rw-r--r--Bugzilla/Auth.pm49
-rw-r--r--Bugzilla/Auth/Verify/DB.pm2
2 files changed, 50 insertions, 1 deletions
diff --git a/Bugzilla/Auth.pm b/Bugzilla/Auth.pm
index 71b125e45..6071d3abd 100644
--- a/Bugzilla/Auth.pm
+++ b/Bugzilla/Auth.pm
@@ -23,6 +23,8 @@
package Bugzilla::Auth;
use strict;
+use Exporter qw(import);
+@Bugzilla::Auth::EXPORT = qw(bz_crypt);
use Bugzilla::Config;
use Bugzilla::Constants;
@@ -42,6 +44,31 @@ BEGIN {
}
}
+sub bz_crypt ($) {
+ my ($password) = @_;
+
+ # The list of characters that can appear in a salt. Salts and hashes
+ # are both encoded as a sequence of characters from a set containing
+ # 64 characters, each one of which represents 6 bits of the salt/hash.
+ # The encoding is similar to BASE64, the difference being that the
+ # BASE64 plus sign (+) is replaced with a forward slash (/).
+ my @saltchars = (0..9, 'A'..'Z', 'a'..'z', '.', '/');
+
+ # Generate the salt. We use an 8 character (48 bit) salt for maximum
+ # security on systems whose crypt uses MD5. Systems with older
+ # versions of crypt will just use the first two characters of the salt.
+ my $salt = '';
+ for ( my $i=0 ; $i < 8 ; ++$i ) {
+ $salt .= $saltchars[rand(64)];
+ }
+
+ # Crypt the password.
+ my $cryptedpassword = crypt($password, $salt);
+
+ # Return the crypted password.
+ return $cryptedpassword;
+}
+
# PRIVATE
# A number of features, like password change requests, require the DB
@@ -128,6 +155,11 @@ __END__
Bugzilla::Auth - Authentication handling for Bugzilla users
+=head1 SYNOPSIS
+
+ # Class Functions
+ $crypted = bz_crypt($password);
+
=head1 DESCRIPTION
Handles authentication for Bugzilla users.
@@ -147,6 +179,23 @@ authentication or login modules.
=over 4
+=item C<bz_crypt($password)>
+
+Takes a string and returns a C<crypt>ed value for it, using a random salt.
+
+Please always use this function instead of the built-in perl "crypt"
+when initially encrypting a password.
+
+=begin undocumented
+
+Random salts are generated because the alternative is usually
+to use the first two characters of the password itself, and since
+the salt appears in plaintext at the beginning of the encrypted
+password string this has the effect of revealing the first two
+characters of the password to anyone who views the encrypted version.
+
+=end undocumented
+
=item C<Bugzilla::Auth::get_netaddr($ipaddr)>
Given an ip address, this returns the associated network address, using
diff --git a/Bugzilla/Auth/Verify/DB.pm b/Bugzilla/Auth/Verify/DB.pm
index ec13bacf8..1d5c6850c 100644
--- a/Bugzilla/Auth/Verify/DB.pm
+++ b/Bugzilla/Auth/Verify/DB.pm
@@ -111,7 +111,7 @@ sub check_password {
sub change_password {
my ($class, $userid, $password) = @_;
my $dbh = Bugzilla->dbh;
- my $cryptpassword = Crypt($password);
+ my $cryptpassword = bz_crypt($password);
$dbh->do("UPDATE profiles SET cryptpassword = ? WHERE userid = ?",
undef, $cryptpassword, $userid);
}