From 483034bb627036c850b92fb9fa4e8e14cb7c97fd Mon Sep 17 00:00:00 2001 From: Jeff Trudeau Date: Fri, 21 Aug 2020 15:20:13 -0400 Subject: [PATCH 1/2] Support PBKDF2 using SHA512 --- lib/devise/encryptable/encryptable.rb | 3 ++- lib/devise/encryptable/encryptors/pbkdf2.rb | 25 +++++++++++++++++++++ 2 files changed, 27 insertions(+), 1 deletion(-) create mode 100644 lib/devise/encryptable/encryptors/pbkdf2.rb diff --git a/lib/devise/encryptable/encryptable.rb b/lib/devise/encryptable/encryptable.rb index cfd5af3..1a39b80 100644 --- a/lib/devise/encryptable/encryptable.rb +++ b/lib/devise/encryptable/encryptable.rb @@ -18,6 +18,7 @@ module Encryptors autoload :AuthlogicSha512, 'devise/encryptable/encryptors/authlogic_sha512' autoload :Base, 'devise/encryptable/encryptors/base' autoload :ClearanceSha1, 'devise/encryptable/encryptors/clearance_sha1' + autoload :Pbkdf2, 'devise/encryptable/encryptors/pbkdf2' autoload :RestfulAuthenticationSha1, 'devise/encryptable/encryptors/restful_authentication_sha1' autoload :Sha1, 'devise/encryptable/encryptors/sha1' autoload :Sha512, 'devise/encryptable/encryptors/sha512' @@ -25,4 +26,4 @@ module Encryptors end end -Devise.add_module(:encryptable, :model => 'devise/encryptable/model') \ No newline at end of file +Devise.add_module(:encryptable, :model => 'devise/encryptable/model') diff --git a/lib/devise/encryptable/encryptors/pbkdf2.rb b/lib/devise/encryptable/encryptors/pbkdf2.rb new file mode 100644 index 0000000..c06d890 --- /dev/null +++ b/lib/devise/encryptable/encryptors/pbkdf2.rb @@ -0,0 +1,25 @@ +begin + module Devise + module Encryptable + module Encryptors + class Pbkdf2 < Base + def self.compare(encrypted_password, password, stretches, salt, pepper) + value_to_test = self.digest(password, stretches, salt, pepper) + ActiveSupport::SecurityUtils.fixed_length_secure_compare(encrypted_password, value_to_test) + end + + def self.digest(password, stretches, salt, pepper) + hash = OpenSSL::Digest::SHA512.new + OpenSSL::KDF.pbkdf2_hmac( + password, + salt: "#{[salt].pack('H*')}#{pepper}", + iterations: stretches, + hash: hash, + length: hash.digest_length, + ).unpack('H*')[0] + end + end + end + end + end +end From 0bc8ea7db9fe08f7c81a7e83424f6dff2a587ba6 Mon Sep 17 00:00:00 2001 From: Jeff Trudeau Date: Thu, 16 Jun 2022 15:04:15 -0400 Subject: [PATCH 2/2] Changes per https://github.com/heartcombo/devise-encryptable/pull/21 --- lib/devise/encryptable/encryptors/pbkdf2.rb | 8 ++++---- 1 file changed, 4 insertions(+), 4 deletions(-) diff --git a/lib/devise/encryptable/encryptors/pbkdf2.rb b/lib/devise/encryptable/encryptors/pbkdf2.rb index c06d890..cf0a3d8 100644 --- a/lib/devise/encryptable/encryptors/pbkdf2.rb +++ b/lib/devise/encryptable/encryptors/pbkdf2.rb @@ -5,18 +5,18 @@ module Encryptors class Pbkdf2 < Base def self.compare(encrypted_password, password, stretches, salt, pepper) value_to_test = self.digest(password, stretches, salt, pepper) - ActiveSupport::SecurityUtils.fixed_length_secure_compare(encrypted_password, value_to_test) + Devise.secure_compare(encrypted_password, value_to_test) end def self.digest(password, stretches, salt, pepper) - hash = OpenSSL::Digest::SHA512.new + hash = OpenSSL::Digest.new('SHA512').new OpenSSL::KDF.pbkdf2_hmac( - password, + password.to_s, salt: "#{[salt].pack('H*')}#{pepper}", iterations: stretches, hash: hash, length: hash.digest_length, - ).unpack('H*')[0] + ).unpack1('H*') end end end