Restore compatibility with 2.0.0's fix for wraparound bug (#81)

2016-06-30 00:15:42 -05:00 · 2016-06-30 00:15:42 -05:00 · 10888813fc
commit 10888813fc
parent c9a9ec1e7a
2 changed files with 14 additions and 0 deletions
--- a/src/bcrypt/init.py
+++ b/src/bcrypt/init.py
@ -67,6 +67,14 @@ def hashpw(password, salt):
    if b"\x00" in password:
        raise ValueError("password may not contain NUL bytes")

+    # bcrypt originally suffered from a wraparound bug:
+    # http://www.openwall.com/lists/oss-security/2012/01/02/4
+    # This bug was corrected in the OpenBSD source by truncating inputs to 72
+    # bytes on the updated prefix $2b$, but leaving $2a$ unchanged for
+    # compatibility. However, pyca/bcrypt 2.0.0 *did* correctly truncate inputs
+    # on $2a$, so we do it here to preserve compatibility with 2.0.0
+    password = password[:72]
+
    salt = _normalize_prefix(salt)

    hashed = _bcrypt.ffi.new("unsigned char[]", 128)
--- a/tests/test_bcrypt.py
+++ b/tests/test_bcrypt.py
@ -430,3 +430,9 @@ def test_invalid_params(password, salt, desired_key_bytes, rounds, error):
 def test_bcrypt_assert():
    with pytest.raises(SystemError):
        bcrypt._bcrypt_assert(False)
+
+
+def test_2a_wraparound_bug():
+    assert bcrypt.hashpw(
+        (b"0123456789" * 26)[:255], b"$2a$04$R1lJ2gkNaoPGdafE.H.16."
+    ) == b"$2a$04$R1lJ2gkNaoPGdafE.H.16.1MKHPvmKwryeulRe225LKProWYwt9Oi"