Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Support PBKDF2 using SHA512 #21

Closed
wants to merge 1 commit into from
Closed

Support PBKDF2 using SHA512 #21

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
1 commit
Select commit
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
3 changes: 2 additions & 1 deletion lib/devise/encryptable/encryptable.rb
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -18,11 +18,12 @@ module Encryptors
autoload :AuthlogicSha512, 'devise/encryptable/encryptors/authlogic_sha512'
autoload :Base, 'devise/encryptable/encryptors/base'
autoload :ClearanceSha1, 'devise/encryptable/encryptors/clearance_sha1'
autoload :Pbkdf2, 'devise/encryptable/encryptors/pbkdf2'
autoload :RestfulAuthenticationSha1, 'devise/encryptable/encryptors/restful_authentication_sha1'
autoload :Sha1, 'devise/encryptable/encryptors/sha1'
autoload :Sha512, 'devise/encryptable/encryptors/sha512'
end
end
end

Devise.add_module(:encryptable, :model => 'devise/encryptable/model')
Devise.add_module(:encryptable, :model => 'devise/encryptable/model')
25 changes: 25 additions & 0 deletions lib/devise/encryptable/encryptors/pbkdf2.rb
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,25 @@
begin
module Devise
module Encryptable
module Encryptors
class Pbkdf2 < Base
def self.compare(encrypted_password, password, stretches, salt, pepper)
value_to_test = self.digest(password, stretches, salt, pepper)
ActiveSupport::SecurityUtils.fixed_length_secure_compare(encrypted_password, value_to_test)
Copy link

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

If comparing unmatching values of differing length, this fails with mismatch length error. This should use Devise.secure_compare instead, which should also do a fixed length comparison, but also does an initial byte size/length check.

Suggested change
ActiveSupport::SecurityUtils.fixed_length_secure_compare(encrypted_password, value_to_test)
Devise.secure_compare(encrypted_password, value_to_test)

end

def self.digest(password, stretches, salt, pepper)
hash = OpenSSL::Digest::SHA512.new
Copy link

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Suggested change
hash = OpenSSL::Digest::SHA512.new
hash = OpenSSL::Digest.new('SHA512').new

OpenSSL::KDF.pbkdf2_hmac(
password,
Copy link

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

If a password is entirely numeric this function will fail trying due to implicit conversion of integer to string.

Suggested change
password,
password.to_s,

salt: "#{[salt].pack('H*')}#{pepper}",
iterations: stretches,
hash: hash,
length: hash.digest_length,
).unpack('H*')[0]
Copy link

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Suggested change
).unpack('H*')[0]
).unpack1('H*')

end
end
end
end
end
end