From 179e06d7c93760d9764bed65295a95fe0930fc4d Mon Sep 17 00:00:00 2001
From: "mkanat%bugzilla.org" <>
Date: Fri, 2 Jan 2009 09:11:47 +0000
Subject: Bug 211006: Make Bugzilla use SHA-256 instead of crypt() to store
 hashed passwords in the database Patch By Max Kanat-Alexander
 <mkanat@bugzilla.org> r=LpSolit, a=LpSolit

---
 Bugzilla/Auth/Verify/DB.pm | 10 ++++++++++
 1 file changed, 10 insertions(+)

(limited to 'Bugzilla/Auth')

diff --git a/Bugzilla/Auth/Verify/DB.pm b/Bugzilla/Auth/Verify/DB.pm
index 0f73063d2..695671a31 100644
--- a/Bugzilla/Auth/Verify/DB.pm
+++ b/Bugzilla/Auth/Verify/DB.pm
@@ -64,6 +64,16 @@ sub check_credentials {
     # password tokens they may have generated.
     Bugzilla::Token::DeletePasswordTokens($user_id, "user_logged_in");
 
+    # If their old password was using crypt() or some different hash
+    # than we're using now, convert the stored password to using
+    # whatever hashing system we're using now.
+    my $current_algorithm = PASSWORD_DIGEST_ALGORITHM;
+    if ($real_password_crypted !~ /{\Q$current_algorithm\E}$/) {
+        my $new_crypted = bz_crypt($password);
+        $dbh->do('UPDATE profiles SET cryptpassword = ? WHERE userid = ?',
+                 undef, $new_crypted, $user_id);
+    }
+
     return $login_data;
 }
 
-- 
cgit v1.2.3-24-g4f1b