aspnet_password_hasher 1.0.0 → 1.1.0

Sign up to get free protection for your applications and to get access to all the features.
Files changed (7) hide show
  1. checksums.yaml +4 -4
  2. data/.github/workflows/ci.yml +3 -3
  3. data/CHANGELOG.md +4 -0
  4. data/README.md +1 -0
  5. data/lib/aspnet_password_hasher/password_hasher.rb +22 -12
  6. data/lib/aspnet_password_hasher/version.rb +1 -1
  7. metadata +3 -3
checksums.yaml CHANGED
@@ -1,7 +1,7 @@
1
1
  ---
2
2
  SHA256:
3
- metadata.gz: b06e4dc5a1b9d924d3ab268a0558d86411b66f321cdc4dbbf1231875d7f8f967
4
- data.tar.gz: 30a00eaece15084ac2422c48b9675be4e38b481513a05023f400507b0bac2c81
3
+ metadata.gz: e388cb26bd568565e0870665eb2040dc07a512b584103ebc7079d86677d37dc7
4
+ data.tar.gz: 937f379680d571554082707ead950efd8b2eb198009fced622d42197a8dc4428
5
5
  SHA512:
6
- metadata.gz: 21390413464568ba498eca11652e1d7a48d604331da2d04de19d1e70236850396a862514ccf02011a1b5388e6eae1da4189120193bc6ded573b5e8f35a5819e2
7
- data.tar.gz: 11c9ed3b3bc76420f9e8ab9ab8b29dba7b1541ea3bcf771f6f96f50d17c8a7ece344fc7775cd9f1b999bf15ac23413f099f56bb2cce0206283336690d32522c5
6
+ metadata.gz: 0ad1768064f22d3ada3f0a61cb537d2b94c22a3fcc11e39f5087ac9f91320a8068158e6fdf7955c17e7523fc24576c057a77cd736724eac609cbd86bfa1039e1
7
+ data.tar.gz: 8623ce2638104ceb5ac50964efaa4704e891e58c2b569a019b12916a8fca571baf6abed615ff77b43a98766907b2ec9592bc16036910325037ed48ad5e3572c5
data/.github/workflows/ci.yml CHANGED
@@ -11,10 +11,10 @@ jobs:
11
11
  runs-on: ubuntu-latest
12
12
  strategy:
13
13
  matrix:
14
- ruby_version: [3.0, 2.7, 2.6, 2.5, 2.4]
14
+ ruby_version: [3.1, 3.0, 2.7, 2.6, 2.5, 2.4]
15
15
 
16
16
  steps:
17
- - uses: actions/checkout@v2
17
+ - uses: actions/checkout@v3
18
18
 
19
19
  - name: Setup Ruby
20
20
  uses: ruby/setup-ruby@v1
@@ -27,7 +27,7 @@ jobs:
27
27
  bundle exec rake
28
28
 
29
29
  - name: Upload coverage
30
- uses: actions/upload-artifact@v2
30
+ uses: actions/upload-artifact@v3
31
31
  if: always()
32
32
  with:
33
33
  name: coverage-ruby-${{ matrix.ruby_version }}
data/CHANGELOG.md CHANGED
@@ -1,3 +1,7 @@
1
+ ## 1.1.0
2
+
3
+ - Update V3 password hashing to use SHA512 with 100k iterations
4
+
1
5
  ## 1.0.0
2
6
 
3
7
  - Initial release
data/README.md CHANGED
@@ -1,3 +1,4 @@
1
+ [![Gem Version](https://badge.fury.io/rb/aspnet_password_hasher.svg)](https://badge.fury.io/rb/aspnet_password_hasher)
1
2
  ![](https://github.com/kzkn/aspnet_password_hasher/workflows/CI/badge.svg)
2
3
 
3
4
  # AspnetPasswordHasher
data/lib/aspnet_password_hasher/password_hasher.rb CHANGED
@@ -6,6 +6,10 @@ require 'base64'
6
6
 
7
7
  module AspnetPasswordHasher
8
8
  class PasswordHasher
9
+ KEY_DERIVATION_PRF_HMACSHA1 = 0
10
+ KEY_DERIVATION_PRF_HMACSHA256 = 1
11
+ KEY_DERIVATION_PRF_HMACSHA512 = 2
12
+
9
13
  def initialize(options = {})
10
14
  @mode = options[:mode] || :v3
11
15
  @rng = options[:random_number_generator] || SecureRandom
@@ -14,7 +18,7 @@ module AspnetPasswordHasher
14
18
  when :v2
15
19
  @iter_count = 0
16
20
  when :v3
17
- @iter_count = options[:iter_count] || 10000
21
+ @iter_count = options[:iter_count] || 100000
18
22
  if @iter_count < 1
19
23
  raise ArgumentError, "Invalid password hasher iteration count"
20
24
  end
@@ -45,9 +49,15 @@ module AspnetPasswordHasher
45
49
  end
46
50
  when "\x01"
47
51
  # v3
48
- result, embed_iter_count = verify_hashed_password_v3(decoded_hashed_password, provided_password)
52
+ result, embed_iter_count, prf = verify_hashed_password_v3(decoded_hashed_password, provided_password)
49
53
  if result
50
- embed_iter_count < @iter_count ? :success_rehash_needed : :success
54
+ if embed_iter_count < @iter_count
55
+ :success_rehash_needed
56
+ elsif prf == KEY_DERIVATION_PRF_HMACSHA1 || prf == KEY_DERIVATION_PRF_HMACSHA256
57
+ :success_rehash_needed
58
+ else
59
+ :success
60
+ end
51
61
  else
52
62
  :failed
53
63
  end
@@ -75,12 +85,12 @@ module AspnetPasswordHasher
75
85
  end
76
86
 
77
87
  def hash_password_v3(password)
78
- prf = 1 # HMACSHA256
88
+ prf = KEY_DERIVATION_PRF_HMACSHA512
79
89
  salt_size = 128 / 8
80
90
  num_bytes_requested = 256 / 8
81
91
 
82
92
  salt = @rng.bytes(salt_size)
83
- digest = OpenSSL::Digest::SHA256.new
93
+ digest = OpenSSL::Digest::SHA512.new
84
94
  subkey = OpenSSL::PKCS5.pbkdf2_hmac(password, salt, @iter_count, num_bytes_requested, digest)
85
95
 
86
96
  output_bytes = String.new
@@ -116,31 +126,31 @@ module AspnetPasswordHasher
116
126
  salt_len = hashed_password[9..12].unpack('N')[0]
117
127
  # salt must be >= 128 bits
118
128
  if salt_len < 128 / 8
119
- return [false, nil]
129
+ return [false, nil, nil]
120
130
  end
121
131
 
122
132
  salt = hashed_password[13...(13 + salt_len)]
123
133
  subkey_len = hashed_password.length - 13 - salt_len
124
134
  # subkey must by >= 128 bits
125
135
  if subkey_len < 128 / 8
126
- return [false, nil]
136
+ return [false, nil, nil]
127
137
  end
128
138
 
129
139
  expected_subkey = hashed_password[(13 + salt_len)...hashed_password.length]
130
140
 
131
141
  digest = case prf
132
- when 0
142
+ when KEY_DERIVATION_PRF_HMACSHA1
133
143
  OpenSSL::Digest::SHA1.new
134
- when 1
144
+ when KEY_DERIVATION_PRF_HMACSHA256
135
145
  OpenSSL::Digest::SHA256.new
136
- when 2
146
+ when KEY_DERIVATION_PRF_HMACSHA512
137
147
  OpenSSL::Digest::SHA512.new
138
148
  end
139
149
  actual_subkey = OpenSSL::PKCS5.pbkdf2_hmac(password, salt, iter_count, subkey_len, digest)
140
150
 
141
- [expected_subkey == actual_subkey, iter_count]
151
+ [expected_subkey == actual_subkey, iter_count, prf]
142
152
  rescue StandardError
143
- [false, nil]
153
+ [false, nil, nil]
144
154
  end
145
155
  end
146
156
  end
data/lib/aspnet_password_hasher/version.rb CHANGED
@@ -1,5 +1,5 @@
1
1
  # frozen_string_literal: true
2
2
 
3
3
  module AspnetPasswordHasher
4
- VERSION = "1.0.0"
4
+ VERSION = "1.1.0"
5
5
  end
metadata CHANGED
@@ -1,14 +1,14 @@
1
1
  --- !ruby/object:Gem::Specification
2
2
  name: aspnet_password_hasher
3
3
  version: !ruby/object:Gem::Version
4
- version: 1.0.0
4
+ version: 1.1.0
5
5
  platform: ruby
6
6
  authors:
7
7
  - Kazuki Nishikawa
8
8
  autorequire:
9
9
  bindir: exe
10
10
  cert_chain: []
11
- date: 2021-07-01 00:00:00.000000000 Z
11
+ date: 2022-10-08 00:00:00.000000000 Z
12
12
  dependencies: []
13
13
  description: An implementation of password hashing compatible with ASP.NET Identity
14
14
  email:
@@ -53,7 +53,7 @@ required_rubygems_version: !ruby/object:Gem::Requirement
53
53
  - !ruby/object:Gem::Version
54
54
  version: '0'
55
55
  requirements: []
56
- rubygems_version: 3.1.4
56
+ rubygems_version: 3.2.22
57
57
  signing_key:
58
58
  specification_version: 4
59
59
  summary: An implementation of password hashing compatible with ASP.NET Identity