From 10888813fc8a7e6a4b9cc7713ef1b92db4ad2809 Mon Sep 17 00:00:00 2001 From: Paul Kehrer Date: Thu, 30 Jun 2016 00:15:42 -0500 Subject: [PATCH] Restore compatibility with 2.0.0's fix for wraparound bug (#81) --- src/bcrypt/__init__.py | 8 ++++++++ tests/test_bcrypt.py | 6 ++++++ 2 files changed, 14 insertions(+) diff --git a/src/bcrypt/__init__.py b/src/bcrypt/__init__.py index c2be96d..d6acb84 100644 --- a/src/bcrypt/__init__.py +++ b/src/bcrypt/__init__.py @@ -67,6 +67,14 @@ def hashpw(password, salt): if b"\x00" in password: raise ValueError("password may not contain NUL bytes") + # bcrypt originally suffered from a wraparound bug: + # http://www.openwall.com/lists/oss-security/2012/01/02/4 + # This bug was corrected in the OpenBSD source by truncating inputs to 72 + # bytes on the updated prefix $2b$, but leaving $2a$ unchanged for + # compatibility. However, pyca/bcrypt 2.0.0 *did* correctly truncate inputs + # on $2a$, so we do it here to preserve compatibility with 2.0.0 + password = password[:72] + salt = _normalize_prefix(salt) hashed = _bcrypt.ffi.new("unsigned char[]", 128) diff --git a/tests/test_bcrypt.py b/tests/test_bcrypt.py index ea5cee3..47f315a 100644 --- a/tests/test_bcrypt.py +++ b/tests/test_bcrypt.py @@ -430,3 +430,9 @@ def test_invalid_params(password, salt, desired_key_bytes, rounds, error): def test_bcrypt_assert(): with pytest.raises(SystemError): bcrypt._bcrypt_assert(False) + + +def test_2a_wraparound_bug(): + assert bcrypt.hashpw( + (b"0123456789" * 26)[:255], b"$2a$04$R1lJ2gkNaoPGdafE.H.16." + ) == b"$2a$04$R1lJ2gkNaoPGdafE.H.16.1MKHPvmKwryeulRe225LKProWYwt9Oi"