module PasswordHash
SALT_BYTE_SIZE = 32
HASH_BYTE_SIZE = 32
- PBKDF2_ITERATIONS = 1000
- DIGEST_ALGORITHM = "sha512"
+ PBKDF2_ITERATIONS = 10000
+ DIGEST_ALGORITHM = "sha512".freeze
def self.create(password)
salt = SecureRandom.base64(SALT_BYTE_SIZE)
hash = self.hash(password, salt, PBKDF2_ITERATIONS, HASH_BYTE_SIZE, DIGEST_ALGORITHM)
- return hash, [DIGEST_ALGORITHM, PBKDF2_ITERATIONS, salt].join("!")
+ [hash, [DIGEST_ALGORITHM, PBKDF2_ITERATIONS, salt].join("!")]
end
def self.check(hash, salt, candidate)
if salt.nil?
candidate = Digest::MD5.hexdigest(candidate)
- elsif salt =~ /!/
+ elsif salt.include?("!")
algorithm, iterations, salt = salt.split("!")
size = Base64.strict_decode64(hash).length
candidate = self.hash(candidate, salt, iterations.to_i, size, algorithm)
candidate = Digest::MD5.hexdigest(salt + candidate)
end
- return hash == candidate
+ hash == candidate
end
-private
+ def self.upgrade?(hash, salt)
+ if salt.nil?
+ return true
+ elsif salt.include?("!")
+ algorithm, iterations, salt = salt.split("!")
+ return true if Base64.strict_decode64(salt).length != SALT_BYTE_SIZE
+ return true if Base64.strict_decode64(hash).length != HASH_BYTE_SIZE
+ return true if iterations.to_i != PBKDF2_ITERATIONS
+ return true if algorithm != DIGEST_ALGORITHM
+ else
+ return true
+ end
+
+ false
+ end
def self.hash(password, salt, iterations, size, algorithm)
digest = OpenSSL::Digest.new(algorithm)
- pbkdf2 = OpenSSL::PKCS5::pbkdf2_hmac(password, salt, iterations, size, digest)
+ pbkdf2 = OpenSSL::PKCS5.pbkdf2_hmac(password, salt, iterations, size, digest)
Base64.strict_encode64(pbkdf2)
end
end
projects / rails.git / blobdiff