DEV: Switch our fast_xor gem for xorcist (#10565)

* DEV: Switch our fast_xor gem for xorcist

We use the `xor` function as part of password hashing and we want to use
a faster version than the native ruby xor'ing feature so we use a gem
for this.

fast_xor has been abandoned, and xorcist fixed our initial holdup for
switching in https://github.com/fny/xorcist/issues/4

xorcist also has jruby support so we can remove our jruby fallback
logic.

* Move using statement inside of class
This commit is contained in:
Blake Erickson 2020-08-31 13:20:44 -06:00 committed by GitHub
parent c3560a66f3
commit 43ffd4d28f
No known key found for this signature in database
GPG Key ID: 4AEE18F83AFDEB23
3 changed files with 9 additions and 24 deletions

View File

@ -79,8 +79,7 @@ gem 'rails_multisite'
gem 'fast_xs', platform: :ruby gem 'fast_xs', platform: :ruby
# may move to xorcist post: https://github.com/fny/xorcist/issues/4 gem 'xorcist'
gem 'fast_xor', platform: :ruby
gem 'fastimage' gem 'fastimage'

View File

@ -130,9 +130,6 @@ GEM
faraday (1.0.1) faraday (1.0.1)
multipart-post (>= 1.2, < 3) multipart-post (>= 1.2, < 3)
fast_blank (1.0.0) fast_blank (1.0.0)
fast_xor (1.1.3)
rake
rake-compiler
fast_xs (0.8.0) fast_xs (0.8.0)
fastimage (2.2.0) fastimage (2.2.0)
ffi (1.13.1) ffi (1.13.1)
@ -296,8 +293,6 @@ GEM
rainbow (3.0.0) rainbow (3.0.0)
raindrops (0.19.1) raindrops (0.19.1)
rake (13.0.1) rake (13.0.1)
rake-compiler (1.1.1)
rake
rb-fsevent (0.10.4) rb-fsevent (0.10.4)
rb-inotify (0.10.1) rb-inotify (0.10.1)
ffi (~> 1.0) ffi (~> 1.0)
@ -429,6 +424,7 @@ GEM
webpush (1.0.0) webpush (1.0.0)
hkdf (~> 0.2) hkdf (~> 0.2)
jwt (~> 2.0) jwt (~> 2.0)
xorcist (1.1.2)
yaml-lint (0.0.10) yaml-lint (0.0.10)
zeitwerk (2.4.0) zeitwerk (2.4.0)
@ -472,7 +468,6 @@ DEPENDENCIES
fabrication fabrication
fakeweb fakeweb
fast_blank fast_blank
fast_xor
fast_xs fast_xs
fastimage fastimage
flamegraph flamegraph
@ -560,6 +555,7 @@ DEPENDENCIES
unicorn unicorn
webmock webmock
webpush webpush
xorcist
yaml-lint yaml-lint
BUNDLED WITH BUNDLED WITH

View File

@ -1,19 +1,14 @@
# frozen_string_literal: true # frozen_string_literal: true
# Note: the pbkdf2 gem is bust on 2.0, the logic is so simple I am not sure it makes sense to have this in a gem atm (Sam) # Note: This logic was originaly extracted from the Pbkdf2 gem to fix Ruby 2.0
# # issues, but that gem has gone stale so we won't be returning to it.
# Also PBKDF2 monkey patches string ... don't like that at all
#
# Happy to move back to PBKDF2 ruby gem provided:
#
# 1. It works on Ruby 2.0
# 2. It works on 1.9.3
# 3. It does not monkey patch string
require 'openssl' require 'openssl'
require 'xor' require 'xorcist'
require 'xorcist/refinements'
class Pbkdf2 class Pbkdf2
using Xorcist::Refinements
def self.hash_password(password, salt, iterations, algorithm = "sha256") def self.hash_password(password, salt, iterations, algorithm = "sha256")
@ -23,7 +18,7 @@ class Pbkdf2
2.upto(iterations) do 2.upto(iterations) do
u = prf(h, password, u) u = prf(h, password, u)
ret.xor!(u) ret.xor!(u)
end end
ret.bytes.map { |b| ("0" + b.to_s(16))[-2..-1] }.join("") ret.bytes.map { |b| ("0" + b.to_s(16))[-2..-1] }.join("")
@ -31,11 +26,6 @@ class Pbkdf2
protected protected
# fallback xor in case we need it for jruby ... way slower
def self.xor(x, y)
x.bytes.zip(y.bytes).map { |a, b| a ^ b }.pack('c*')
end
def self.prf(hash_function, password, data) def self.prf(hash_function, password, data)
OpenSSL::HMAC.digest(hash_function, password, data) OpenSSL::HMAC.digest(hash_function, password, data)
end end