From f1923f8e85501143d0be63d872c726159440f6c1 Mon Sep 17 00:00:00 2001 From: "mkanat%kerio.com" <> Date: Wed, 13 Jul 2005 10:56:58 +0000 Subject: Bug 300336: Bugzilla::Auth should not contain any exported subroutines Patch By Max Kanat-Alexander r=LpSolit, a=justdave --- Bugzilla/Util.pm | 53 ++++++++++++++++++++++++++++++++++++++++++++++++++++- 1 file changed, 52 insertions(+), 1 deletion(-) (limited to 'Bugzilla/Util.pm') diff --git a/Bugzilla/Util.pm b/Bugzilla/Util.pm index 91e66f9f8..83c9bf7d3 100644 --- a/Bugzilla/Util.pm +++ b/Bugzilla/Util.pm @@ -37,7 +37,8 @@ use base qw(Exporter); diff_arrays diff_strings trim wrap_comment find_wrap_point format_time format_time_decimal - file_mod_time); + file_mod_time + bz_crypt); use Bugzilla::Config; use Bugzilla::Error; @@ -309,6 +310,31 @@ sub file_mod_time ($) { return $mtime; } +sub bz_crypt ($) { + my ($password) = @_; + + # The list of characters that can appear in a salt. Salts and hashes + # are both encoded as a sequence of characters from a set containing + # 64 characters, each one of which represents 6 bits of the salt/hash. + # The encoding is similar to BASE64, the difference being that the + # BASE64 plus sign (+) is replaced with a forward slash (/). + my @saltchars = (0..9, 'A'..'Z', 'a'..'z', '.', '/'); + + # Generate the salt. We use an 8 character (48 bit) salt for maximum + # security on systems whose crypt uses MD5. Systems with older + # versions of crypt will just use the first two characters of the salt. + my $salt = ''; + for ( my $i=0 ; $i < 8 ; ++$i ) { + $salt .= $saltchars[rand(64)]; + } + + # Crypt the password. + my $cryptedpassword = crypt($password, $salt); + + # Return the crypted password. + return $cryptedpassword; +} + sub ValidateDate { my ($date, $format) = @_; my $date2; @@ -369,6 +395,9 @@ Bugzilla::Util - Generic utility functions for bugzilla # Functions for dealing with files $time = file_mod_time($filename); + # Cryptographic Functions + $crypted_password = bz_crypt($password); + =head1 DESCRIPTION This package contains various utility functions which do not belong anywhere @@ -563,3 +592,25 @@ of the "mtime" parameter of the perl "stat" function. =back +=head2 Cryptography + +=over 4 + +=item C + +Takes a string and returns a Ced value for it, using a random salt. + +Please always use this function instead of the built-in perl "crypt" +when initially encrypting a password. + +=begin undocumented + +Random salts are generated because the alternative is usually +to use the first two characters of the password itself, and since +the salt appears in plaintext at the beginning of the encrypted +password string this has the effect of revealing the first two +characters of the password to anyone who views the encrypted version. + +=end undocumented + +=back -- cgit v1.2.3-24-g4f1b