Parameterize the PBKDF2 algorithm in application config
http://meta.discourse.org/t/sso-between-discourse-and-xmpp/8567/5
This commit is contained in:
parent
4b269de724
commit
35a2bb7919
|
@ -542,7 +542,7 @@ class User < ActiveRecord::Base
|
||||||
end
|
end
|
||||||
|
|
||||||
def hash_password(password, salt)
|
def hash_password(password, salt)
|
||||||
Pbkdf2.hash_password(password, salt, Rails.configuration.pbkdf2_iterations)
|
Pbkdf2.hash_password(password, salt, Rails.configuration.pbkdf2_iterations, Rails.configuration.pbkdf2_algorithm)
|
||||||
end
|
end
|
||||||
|
|
||||||
def add_trust_level
|
def add_trust_level
|
||||||
|
@ -674,4 +674,3 @@ end
|
||||||
# index_users_on_username (username) UNIQUE
|
# index_users_on_username (username) UNIQUE
|
||||||
# index_users_on_username_lower (username_lower) UNIQUE
|
# index_users_on_username_lower (username_lower) UNIQUE
|
||||||
#
|
#
|
||||||
|
|
||||||
|
|
|
@ -89,6 +89,7 @@ module Discourse
|
||||||
|
|
||||||
# per https://www.owasp.org/index.php/Password_Storage_Cheat_Sheet
|
# per https://www.owasp.org/index.php/Password_Storage_Cheat_Sheet
|
||||||
config.pbkdf2_iterations = 64000
|
config.pbkdf2_iterations = 64000
|
||||||
|
config.pbkdf2_algorithm = "sha256"
|
||||||
|
|
||||||
# dumping rack lock cause the message bus does not work with it (throw :async, it catches Exception)
|
# dumping rack lock cause the message bus does not work with it (throw :async, it catches Exception)
|
||||||
# see: https://github.com/sporkrb/spork/issues/66
|
# see: https://github.com/sporkrb/spork/issues/66
|
||||||
|
|
|
@ -2,32 +2,32 @@
|
||||||
#
|
#
|
||||||
# Also PBKDF2 monkey patches string ... don't like that at all
|
# Also PBKDF2 monkey patches string ... don't like that at all
|
||||||
#
|
#
|
||||||
# Happy to move back to PBKDF2 ruby gem provided:
|
# Happy to move back to PBKDF2 ruby gem provided:
|
||||||
#
|
#
|
||||||
# 1. It works on Ruby 2.0
|
# 1. It works on Ruby 2.0
|
||||||
# 2. It works on 1.9.3
|
# 2. It works on 1.9.3
|
||||||
# 3. It does not monkey patch string
|
# 3. It does not monkey patch string
|
||||||
|
|
||||||
require 'openssl'
|
require 'openssl'
|
||||||
require 'xor'
|
require 'xor'
|
||||||
|
|
||||||
class Pbkdf2
|
class Pbkdf2
|
||||||
|
|
||||||
def self.hash_password(password, salt, iterations)
|
|
||||||
|
|
||||||
h = OpenSSL::Digest::Digest.new("sha256")
|
def self.hash_password(password, salt, iterations, algorithm = "sha256")
|
||||||
|
|
||||||
|
h = OpenSSL::Digest::Digest.new(algorithm)
|
||||||
|
|
||||||
u = ret = prf(h, password, salt + [1].pack("N"))
|
u = ret = prf(h, password, salt + [1].pack("N"))
|
||||||
|
|
||||||
2.upto(iterations) do
|
2.upto(iterations) do
|
||||||
u = prf(h, password, u)
|
u = prf(h, password, u)
|
||||||
ret.xor!(u)
|
ret.xor!(u)
|
||||||
end
|
end
|
||||||
|
|
||||||
ret.bytes.map{|b| ("0" + b.to_s(16))[-2..-1]}.join("")
|
ret.bytes.map{|b| ("0" + b.to_s(16))[-2..-1]}.join("")
|
||||||
end
|
end
|
||||||
|
|
||||||
protected
|
protected
|
||||||
|
|
||||||
# fallback xor in case we need it for jruby ... way slower
|
# fallback xor in case we need it for jruby ... way slower
|
||||||
def self.xor(x,y)
|
def self.xor(x,y)
|
||||||
|
|
Loading…
Reference in New Issue