From 5ddb84da8800728b887f2497a205fad01c44be8a Mon Sep 17 00:00:00 2001
From: "travis%sedsystems.ca" <>
Date: Tue, 1 Feb 2005 03:26:00 +0000
Subject: Bug 278792 : Move Crypt() to Bugzilla::Auth Patch by Max
 Kanat-Alexander <mkanat@kerio.com>   r=vladd  a=justdave

---
 Bugzilla/Auth.pm | 49 +++++++++++++++++++++++++++++++++++++++++++++++++
 1 file changed, 49 insertions(+)

(limited to 'Bugzilla/Auth.pm')

diff --git a/Bugzilla/Auth.pm b/Bugzilla/Auth.pm
index 71b125e45..6071d3abd 100644
--- a/Bugzilla/Auth.pm
+++ b/Bugzilla/Auth.pm
@@ -23,6 +23,8 @@
 package Bugzilla::Auth;
 
 use strict;
+use Exporter qw(import);
+@Bugzilla::Auth::EXPORT = qw(bz_crypt);
 
 use Bugzilla::Config;
 use Bugzilla::Constants;
@@ -42,6 +44,31 @@ BEGIN {
     }
 }
 
+sub bz_crypt ($) {
+    my ($password) = @_;
+
+    # The list of characters that can appear in a salt.  Salts and hashes
+    # are both encoded as a sequence of characters from a set containing
+    # 64 characters, each one of which represents 6 bits of the salt/hash.
+    # The encoding is similar to BASE64, the difference being that the
+    # BASE64 plus sign (+) is replaced with a forward slash (/).
+    my @saltchars = (0..9, 'A'..'Z', 'a'..'z', '.', '/');
+
+    # Generate the salt.  We use an 8 character (48 bit) salt for maximum
+    # security on systems whose crypt uses MD5.  Systems with older
+    # versions of crypt will just use the first two characters of the salt.
+    my $salt = '';
+    for ( my $i=0 ; $i < 8 ; ++$i ) {
+        $salt .= $saltchars[rand(64)];
+    }
+
+    # Crypt the password.
+    my $cryptedpassword = crypt($password, $salt);
+
+    # Return the crypted password.
+    return $cryptedpassword;
+}
+
 # PRIVATE
 
 # A number of features, like password change requests, require the DB
@@ -128,6 +155,11 @@ __END__
 
 Bugzilla::Auth - Authentication handling for Bugzilla users
 
+=head1 SYNOPSIS
+
+  # Class Functions
+  $crypted = bz_crypt($password);
+
 =head1 DESCRIPTION
 
 Handles authentication for Bugzilla users.
@@ -147,6 +179,23 @@ authentication or login modules.
 
 =over 4
 
+=item C<bz_crypt($password)>
+
+Takes a string and returns a C<crypt>ed value for it, using a random salt.
+
+Please always use this function instead of the built-in perl "crypt"
+when initially encrypting a password.
+
+=begin undocumented
+
+Random salts are generated because the alternative is usually
+to use the first two characters of the password itself, and since
+the salt appears in plaintext at the beginning of the encrypted
+password string this has the effect of revealing the first two
+characters of the password to anyone who views the encrypted version.
+
+=end undocumented
+
 =item C<Bugzilla::Auth::get_netaddr($ipaddr)>
 
 Given an ip address, this returns the associated network address, using
-- 
cgit v1.2.3-24-g4f1b