From 4663186fdcb2ac1142d3697e27a8f67ce3c92510 Mon Sep 17 00:00:00 2001
From: Reed Loden <reed@reedloden.com>
Date: Mon, 31 Dec 2012 13:51:11 -0800
Subject: Bug 785283 - Support increased values for PASSWORD_SALT_LENGTH
 without breaking compat with old hashes [r=LpSolit a=LpSolit]

---
 Bugzilla/Auth/Verify/DB.pm | 13 ++++++++++++-
 1 file changed, 12 insertions(+), 1 deletion(-)

(limited to 'Bugzilla/Auth')

diff --git a/Bugzilla/Auth/Verify/DB.pm b/Bugzilla/Auth/Verify/DB.pm
index 2ad98874d..82fa662dc 100644
--- a/Bugzilla/Auth/Verify/DB.pm
+++ b/Bugzilla/Auth/Verify/DB.pm
@@ -66,11 +66,22 @@ sub check_credentials {
     Bugzilla::Token::DeletePasswordTokens($user->id, "user_logged_in");
     $user->clear_login_failures();
 
+    my $update_password = 0;
+
     # If their old password was using crypt() or some different hash
     # than we're using now, convert the stored password to using
     # whatever hashing system we're using now.
     my $current_algorithm = PASSWORD_DIGEST_ALGORITHM;
-    if ($real_password_crypted !~ /{\Q$current_algorithm\E}$/) {
+    $update_password = 1 if ($real_password_crypted !~ /{\Q$current_algorithm\E}$/);
+
+    # If their old password was using a different length salt than what
+    # we're using now, update the password to use the new salt length.
+    if ($real_password_crypted =~ /^([^,]+),/) {
+        $update_password = 1 if (length($1) != PASSWORD_SALT_LENGTH);
+    }
+
+    # If needed, update the user's password.
+    if ($update_password) {
         $user->set_password($password);
         $user->update();
     }
-- 
cgit v1.2.3-24-g4f1b