aspnet_password_hasher 1.0.0 → 1.1.0

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
Files changed (7) hide show
  1. checksums.yaml +4 -4
  2. data/.github/workflows/ci.yml +3 -3
  3. data/CHANGELOG.md +4 -0
  4. data/README.md +1 -0
  5. data/lib/aspnet_password_hasher/password_hasher.rb +22 -12
  6. data/lib/aspnet_password_hasher/version.rb +1 -1
  7. metadata +3 -3
checksums.yaml CHANGED
@@ -1,7 +1,7 @@
1
1
  ---
2
2
  SHA256:
3
- metadata.gz: b06e4dc5a1b9d924d3ab268a0558d86411b66f321cdc4dbbf1231875d7f8f967
4
- data.tar.gz: 30a00eaece15084ac2422c48b9675be4e38b481513a05023f400507b0bac2c81
3
+ metadata.gz: e388cb26bd568565e0870665eb2040dc07a512b584103ebc7079d86677d37dc7
4
+ data.tar.gz: 937f379680d571554082707ead950efd8b2eb198009fced622d42197a8dc4428
5
5
  SHA512:
6
- metadata.gz: 21390413464568ba498eca11652e1d7a48d604331da2d04de19d1e70236850396a862514ccf02011a1b5388e6eae1da4189120193bc6ded573b5e8f35a5819e2
7
- data.tar.gz: 11c9ed3b3bc76420f9e8ab9ab8b29dba7b1541ea3bcf771f6f96f50d17c8a7ece344fc7775cd9f1b999bf15ac23413f099f56bb2cce0206283336690d32522c5
6
+ metadata.gz: 0ad1768064f22d3ada3f0a61cb537d2b94c22a3fcc11e39f5087ac9f91320a8068158e6fdf7955c17e7523fc24576c057a77cd736724eac609cbd86bfa1039e1
7
+ data.tar.gz: 8623ce2638104ceb5ac50964efaa4704e891e58c2b569a019b12916a8fca571baf6abed615ff77b43a98766907b2ec9592bc16036910325037ed48ad5e3572c5
data/.github/workflows/ci.yml CHANGED
@@ -11,10 +11,10 @@ jobs:
11
11
  runs-on: ubuntu-latest
12
12
  strategy:
13
13
  matrix:
14
- ruby_version: [3.0, 2.7, 2.6, 2.5, 2.4]
14
+ ruby_version: [3.1, 3.0, 2.7, 2.6, 2.5, 2.4]
15
15
 
16
16
  steps:
17
- - uses: actions/checkout@v2
17
+ - uses: actions/checkout@v3
18
18
 
19
19
  - name: Setup Ruby
20
20
  uses: ruby/setup-ruby@v1
@@ -27,7 +27,7 @@ jobs:
27
27
  bundle exec rake
28
28
 
29
29
  - name: Upload coverage
30
- uses: actions/upload-artifact@v2
30
+ uses: actions/upload-artifact@v3
31
31
  if: always()
32
32
  with:
33
33
  name: coverage-ruby-${{ matrix.ruby_version }}
data/CHANGELOG.md CHANGED
@@ -1,3 +1,7 @@
1
+ ## 1.1.0
2
+
3
+ - Update V3 password hashing to use SHA512 with 100k iterations
4
+
1
5
  ## 1.0.0
2
6
 
3
7
  - Initial release
data/README.md CHANGED
@@ -1,3 +1,4 @@
1
+ [![Gem Version](https://badge.fury.io/rb/aspnet_password_hasher.svg)](https://badge.fury.io/rb/aspnet_password_hasher)
1
2
  ![](https://github.com/kzkn/aspnet_password_hasher/workflows/CI/badge.svg)
2
3
 
3
4
  # AspnetPasswordHasher
data/lib/aspnet_password_hasher/password_hasher.rb CHANGED
@@ -6,6 +6,10 @@ require 'base64'
6
6
 
7
7
  module AspnetPasswordHasher
8
8
  class PasswordHasher
9
+ KEY_DERIVATION_PRF_HMACSHA1 = 0
10
+ KEY_DERIVATION_PRF_HMACSHA256 = 1
11
+ KEY_DERIVATION_PRF_HMACSHA512 = 2
12
+
9
13
  def initialize(options = {})
10
14
  @mode = options[:mode] || :v3
11
15
  @rng = options[:random_number_generator] || SecureRandom
@@ -14,7 +18,7 @@ module AspnetPasswordHasher
14
18
  when :v2
15
19
  @iter_count = 0
16
20
  when :v3
17
- @iter_count = options[:iter_count] || 10000
21
+ @iter_count = options[:iter_count] || 100000
18
22
  if @iter_count < 1
19
23
  raise ArgumentError, "Invalid password hasher iteration count"
20
24
  end
@@ -45,9 +49,15 @@ module AspnetPasswordHasher
45
49
  end
46
50
  when "\x01"
47
51
  # v3
48
- result, embed_iter_count = verify_hashed_password_v3(decoded_hashed_password, provided_password)
52
+ result, embed_iter_count, prf = verify_hashed_password_v3(decoded_hashed_password, provided_password)
49
53
  if result
50
- embed_iter_count < @iter_count ? :success_rehash_needed : :success
54
+ if embed_iter_count < @iter_count
55
+ :success_rehash_needed
56
+ elsif prf == KEY_DERIVATION_PRF_HMACSHA1 || prf == KEY_DERIVATION_PRF_HMACSHA256
57
+ :success_rehash_needed
58
+ else
59
+ :success
60
+ end
51
61
  else
52
62
  :failed
53
63
  end
@@ -75,12 +85,12 @@ module AspnetPasswordHasher
75
85
  end
76
86
 
77
87
  def hash_password_v3(password)
78
- prf = 1 # HMACSHA256
88
+ prf = KEY_DERIVATION_PRF_HMACSHA512
79
89
  salt_size = 128 / 8
80
90
  num_bytes_requested = 256 / 8
81
91
 
82
92
  salt = @rng.bytes(salt_size)
83
- digest = OpenSSL::Digest::SHA256.new
93
+ digest = OpenSSL::Digest::SHA512.new
84
94
  subkey = OpenSSL::PKCS5.pbkdf2_hmac(password, salt, @iter_count, num_bytes_requested, digest)
85
95
 
86
96
  output_bytes = String.new
@@ -116,31 +126,31 @@ module AspnetPasswordHasher
116
126
  salt_len = hashed_password[9..12].unpack('N')[0]
117
127
  # salt must be >= 128 bits
118
128
  if salt_len < 128 / 8
119
- return [false, nil]
129
+ return [false, nil, nil]
120
130
  end
121
131
 
122
132
  salt = hashed_password[13...(13 + salt_len)]
123
133
  subkey_len = hashed_password.length - 13 - salt_len
124
134
  # subkey must by >= 128 bits
125
135
  if subkey_len < 128 / 8
126
- return [false, nil]
136
+ return [false, nil, nil]
127
137
  end
128
138
 
129
139
  expected_subkey = hashed_password[(13 + salt_len)...hashed_password.length]
130
140
 
131
141
  digest = case prf
132
- when 0
142
+ when KEY_DERIVATION_PRF_HMACSHA1
133
143
  OpenSSL::Digest::SHA1.new
134
- when 1
144
+ when KEY_DERIVATION_PRF_HMACSHA256
135
145
  OpenSSL::Digest::SHA256.new
136
- when 2
146
+ when KEY_DERIVATION_PRF_HMACSHA512
137
147
  OpenSSL::Digest::SHA512.new
138
148
  end
139
149
  actual_subkey = OpenSSL::PKCS5.pbkdf2_hmac(password, salt, iter_count, subkey_len, digest)
140
150
 
141
- [expected_subkey == actual_subkey, iter_count]
151
+ [expected_subkey == actual_subkey, iter_count, prf]
142
152
  rescue StandardError
143
- [false, nil]
153
+ [false, nil, nil]
144
154
  end
145
155
  end
146
156
  end
data/lib/aspnet_password_hasher/version.rb CHANGED
@@ -1,5 +1,5 @@
1
1
  # frozen_string_literal: true
2
2
 
3
3
  module AspnetPasswordHasher
4
- VERSION = "1.0.0"
4
+ VERSION = "1.1.0"
5
5
  end
metadata CHANGED
@@ -1,14 +1,14 @@
1
1
  --- !ruby/object:Gem::Specification
2
2
  name: aspnet_password_hasher
3
3
  version: !ruby/object:Gem::Version
4
- version: 1.0.0
4
+ version: 1.1.0
5
5
  platform: ruby
6
6
  authors:
7
7
  - Kazuki Nishikawa
8
8
  autorequire:
9
9
  bindir: exe
10
10
  cert_chain: []
11
- date: 2021-07-01 00:00:00.000000000 Z
11
+ date: 2022-10-08 00:00:00.000000000 Z
12
12
  dependencies: []
13
13
  description: An implementation of password hashing compatible with ASP.NET Identity
14
14
  email:
@@ -53,7 +53,7 @@ required_rubygems_version: !ruby/object:Gem::Requirement
53
53
  - !ruby/object:Gem::Version
54
54
  version: '0'
55
55
  requirements: []
56
- rubygems_version: 3.1.4
56
+ rubygems_version: 3.2.22
57
57
  signing_key:
58
58
  specification_version: 4
59
59
  summary: An implementation of password hashing compatible with ASP.NET Identity