aspnet_password_hasher 1.0.0 → 1.1.0

checksums.yaml

@@ -1,7 +1,7 @@
 ---
 SHA256:
-  metadata.gz: b06e4dc5a1b9d924d3ab268a0558d86411b66f321cdc4dbbf1231875d7f8f967
-  data.tar.gz: 30a00eaece15084ac2422c48b9675be4e38b481513a05023f400507b0bac2c81
+  metadata.gz: e388cb26bd568565e0870665eb2040dc07a512b584103ebc7079d86677d37dc7
+  data.tar.gz: 937f379680d571554082707ead950efd8b2eb198009fced622d42197a8dc4428
 SHA512:
-  metadata.gz: 21390413464568ba498eca11652e1d7a48d604331da2d04de19d1e70236850396a862514ccf02011a1b5388e6eae1da4189120193bc6ded573b5e8f35a5819e2
-  data.tar.gz: 11c9ed3b3bc76420f9e8ab9ab8b29dba7b1541ea3bcf771f6f96f50d17c8a7ece344fc7775cd9f1b999bf15ac23413f099f56bb2cce0206283336690d32522c5
+  metadata.gz: 0ad1768064f22d3ada3f0a61cb537d2b94c22a3fcc11e39f5087ac9f91320a8068158e6fdf7955c17e7523fc24576c057a77cd736724eac609cbd86bfa1039e1
+  data.tar.gz: 8623ce2638104ceb5ac50964efaa4704e891e58c2b569a019b12916a8fca571baf6abed615ff77b43a98766907b2ec9592bc16036910325037ed48ad5e3572c5

data/.github/workflows/ci.yml

@@ -11,10 +11,10 @@ jobs:
     runs-on: ubuntu-latest
     strategy:
       matrix:
-        ruby_version: [3.0, 2.7, 2.6, 2.5, 2.4]
+        ruby_version: [3.1, 3.0, 2.7, 2.6, 2.5, 2.4]
 
     steps:
-    - uses: actions/checkout@v2
+    - uses: actions/checkout@v3
 
     - name: Setup Ruby
       uses: ruby/setup-ruby@v1
@@ -27,7 +27,7 @@ jobs:
         bundle exec rake
 
     - name: Upload coverage
-      uses: actions/upload-artifact@v2
+      uses: actions/upload-artifact@v3
       if: always()
       with:
         name: coverage-ruby-${{ matrix.ruby_version }}

data/CHANGELOG.md

@@ -1,3 +1,7 @@
+## 1.1.0
+
+- Update V3 password hashing to use SHA512 with 100k iterations
+
 ## 1.0.0
 
 - Initial release

data/README.md

@@ -1,3 +1,4 @@
+[![Gem Version](https://badge.fury.io/rb/aspnet_password_hasher.svg)](https://badge.fury.io/rb/aspnet_password_hasher)
 ![](https://github.com/kzkn/aspnet_password_hasher/workflows/CI/badge.svg)
 
 # AspnetPasswordHasher

data/lib/aspnet_password_hasher/password_hasher.rb

@@ -6,6 +6,10 @@ require 'base64'
 
 module AspnetPasswordHasher
   class PasswordHasher
+    KEY_DERIVATION_PRF_HMACSHA1 = 0
+    KEY_DERIVATION_PRF_HMACSHA256 = 1
+    KEY_DERIVATION_PRF_HMACSHA512 = 2
+
     def initialize(options = {})
       @mode = options[:mode] || :v3
       @rng = options[:random_number_generator] || SecureRandom
@@ -14,7 +18,7 @@ module AspnetPasswordHasher
       when :v2
         @iter_count = 0
       when :v3
-        @iter_count = options[:iter_count] || 10000
+        @iter_count = options[:iter_count] || 100000
         if @iter_count < 1
           raise ArgumentError, "Invalid password hasher iteration count"
         end
@@ -45,9 +49,15 @@ module AspnetPasswordHasher
         end
       when "\x01"
         # v3
-        result, embed_iter_count = verify_hashed_password_v3(decoded_hashed_password, provided_password)
+        result, embed_iter_count, prf = verify_hashed_password_v3(decoded_hashed_password, provided_password)
         if result
-          embed_iter_count < @iter_count ? :success_rehash_needed : :success
+          if embed_iter_count < @iter_count
+            :success_rehash_needed
+          elsif prf == KEY_DERIVATION_PRF_HMACSHA1 || prf == KEY_DERIVATION_PRF_HMACSHA256
+            :success_rehash_needed
+          else
+            :success
+          end
         else
           :failed
         end
@@ -75,12 +85,12 @@ module AspnetPasswordHasher
     end
 
     def hash_password_v3(password)
-      prf = 1 # HMACSHA256
+      prf = KEY_DERIVATION_PRF_HMACSHA512
       salt_size = 128 / 8
       num_bytes_requested = 256 / 8
 
       salt = @rng.bytes(salt_size)
-      digest = OpenSSL::Digest::SHA256.new
+      digest = OpenSSL::Digest::SHA512.new
       subkey = OpenSSL::PKCS5.pbkdf2_hmac(password, salt, @iter_count, num_bytes_requested, digest)
 
       output_bytes = String.new
@@ -116,31 +126,31 @@ module AspnetPasswordHasher
       salt_len = hashed_password[9..12].unpack('N')[0]
       # salt must be >= 128 bits
       if salt_len < 128 / 8
-        return [false, nil]
+        return [false, nil, nil]
       end
 
       salt = hashed_password[13...(13 + salt_len)]
       subkey_len = hashed_password.length - 13 - salt_len
       # subkey must by >= 128 bits
       if subkey_len < 128 / 8
-        return [false, nil]
+        return [false, nil, nil]
       end
 
       expected_subkey = hashed_password[(13 + salt_len)...hashed_password.length]
 
       digest = case prf
-               when 0
+               when KEY_DERIVATION_PRF_HMACSHA1
                  OpenSSL::Digest::SHA1.new
-               when 1
+               when KEY_DERIVATION_PRF_HMACSHA256
                  OpenSSL::Digest::SHA256.new
-               when 2
+               when KEY_DERIVATION_PRF_HMACSHA512
                  OpenSSL::Digest::SHA512.new
                end
       actual_subkey = OpenSSL::PKCS5.pbkdf2_hmac(password, salt, iter_count, subkey_len, digest)
 
-      [expected_subkey == actual_subkey, iter_count]
+      [expected_subkey == actual_subkey, iter_count, prf]
     rescue StandardError
-      [false, nil]
+      [false, nil, nil]
     end
   end
 end

data/lib/aspnet_password_hasher/version.rb

@@ -1,5 +1,5 @@
 # frozen_string_literal: true
 
 module AspnetPasswordHasher
-  VERSION = "1.0.0"
+  VERSION = "1.1.0"
 end

metadata

@@ -1,14 +1,14 @@
 --- !ruby/object:Gem::Specification
 name: aspnet_password_hasher
 version: !ruby/object:Gem::Version
-  version: 1.0.0
+  version: 1.1.0
 platform: ruby
 authors:
 - Kazuki Nishikawa
 autorequire:
 bindir: exe
 cert_chain: []
-date: 2021-07-01 00:00:00.000000000 Z
+date: 2022-10-08 00:00:00.000000000 Z
 dependencies: []
 description: An implementation of password hashing compatible with ASP.NET Identity
 email:
@@ -53,7 +53,7 @@ required_rubygems_version: !ruby/object:Gem::Requirement
     - !ruby/object:Gem::Version
       version: '0'
 requirements: []
-rubygems_version: 3.1.4
+rubygems_version: 3.2.22
 signing_key:
 specification_version: 4
 summary: An implementation of password hashing compatible with ASP.NET Identity