Cwikius-Spring/spring-security
1
0
Fork 0
mirror of https://github.com/spring-projects/spring-security.git synced 2025-06-24 21:12:18 +00:00
Code Issues Packages Projects Releases Wiki Activity

Fix SCryptPasswordEncoder javadoc

Browse Source 
Issue gh-3702
This commit is contained in:
Rob Winch 2016-03-03 14:18:50 -06:00
parent fc75a679d9
commit 8fbc7e0d2c
1 changed files with 30 additions and 17 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

37
crypto/src/main/java/org/springframework/security/crypto/scrypt/SCryptPasswordEncoder.java
View File

@ -24,8 +24,6 @@ import org.springframework.security.crypto.keygen.BytesKeyGenerator;
import org.springframework.security.crypto.keygen.KeyGenerators;
import org.springframework.security.crypto.password.PasswordEncoder;
/**
* <p>
* Implementation of PasswordEncoder that uses the SCrypt hashing function.
@ -45,9 +43,9 @@ import org.springframework.security.crypto.password.PasswordEncoder;
* unnecessary asymmetry between attacker and defender.</li>
* <li>Scrypt is based on Salsa20 which performs poorly in Java (on par with
* AES) but performs awesome (~4-5x faster) on SIMD capable platforms</li>
* <li>While there are some that would disagree, consider reading "<a href="
* http://blog.ircmaxell.com/2014/03/why-i-dont-recommend-scrypt.html
* ">Why I Don't Recommend Scrypt</a> (for password storage)"</li>
* <li>While there are some that would disagree, consider reading -
* <a href="http://blog.ircmaxell.com/2014/03/why-i-dont-recommend-scrypt.html">
* Why I Don't Recommend Scrypt</a> (for password storage)</li>
* </ul>
*
* @author Shazin Sadakath
@ -75,11 +73,24 @@ public class SCryptPasswordEncoder implements PasswordEncoder {
/**
* Creates a new instance
*
* @param cpuCost cpu cost of the algorithm (as defined in scrypt this is N). must be power of 2 greater than 1. Default is currently 16,348 or 2^14)
* @param memoryCost memory cost of the algorithm (as defined in scrypt this is r) Default is currently 8.
* @param parallelization the parallelization of the algorithm (as defined in scrypt this is p) Default is currently 1. Note that the implementation does not currently take advantage of parallelization.
* @param key length for the algorithm (as defined in scrypt this is dkLen). The default is currently 32.
* @param salt length (as defined in scrypt this is the length of S). The default is currently 64.
* @param cpuCost
* cpu cost of the algorithm (as defined in scrypt this is N).
* must be power of 2 greater than 1. Default is currently 16,348
* or 2^14)
* @param memoryCost
* memory cost of the algorithm (as defined in scrypt this is r)
* Default is currently 8.
* @param parallelization
* the parallelization of the algorithm (as defined in scrypt
* this is p) Default is currently 1. Note that the
* implementation does not currently take advantage of
* parallelization.
* @param keyLength
* key length for the algorithm (as defined in scrypt this is
* dkLen). The default is currently 32.
* @param saltLength
* salt length (as defined in scrypt this is the length of S).
* The default is currently 64.
*/
public SCryptPasswordEncoder(int cpuCost, int memoryCost, int parallelization, int keyLength, int saltLength) {
if (cpuCost <= 1) {
@ -137,7 +148,8 @@ public class SCryptPasswordEncoder implements PasswordEncoder {
int memoryCost = (int) params >> 8 & 0xff;
int parallelization = (int) params & 0xff;
byte[] generated = SCrypt.generate(Utf8.encode(rawPassword), salt, cpuCost, memoryCost, parallelization, keyLength);
byte[] generated = SCrypt.generate(Utf8.encode(rawPassword), salt, cpuCost, memoryCost, parallelization,
keyLength);
if (derived.length != generated.length) {
return false;
@ -153,7 +165,8 @@ public class SCryptPasswordEncoder implements PasswordEncoder {
private String digest(CharSequence rawPassword, byte[] salt) {
byte[] derived = SCrypt.generate(Utf8.encode(rawPassword), salt, cpuCost, memoryCost, parallelization, 32);
String params = Long.toString(((int) (Math.log(cpuCost) / Math.log(2)) << 16L) | memoryCost << 8 | parallelization, 16);
String params = Long
.toString(((int) (Math.log(cpuCost) / Math.log(2)) << 16L) | memoryCost << 8 | parallelization, 16);
StringBuilder sb = new StringBuilder((salt.length + derived.length) * 2);
sb.append("$").append(params).append('$');