cst1/openstreetmap-website
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions

Merge remote-tracking branch 'upstream/pull/3353'

Browse source
This commit is contained in:
Tom Hughes 2021-11-16 08:21:17 +00:00
commit e342314d8b
4 changed files with 55 additions and 31 deletions
Download patch file Download diff file Expand all files Collapse all files

3
Gemfile
View file

@ -33,6 +33,9 @@ gem "autoprefixer-rails"
# Use image_optim to optimise images # Use image_optim to optimise images
gem "image_optim_rails" gem "image_optim_rails"
# Use argon2 for password hashing
gem "argon2"
# Load rails plugins # Load rails plugins
gem "actionpack-page_caching", ">= 1.2.0" gem "actionpack-page_caching", ">= 1.2.0"
gem "activerecord-import" gem "activerecord-import"

7
Gemfile.lock
View file

@ -73,6 +73,9 @@ GEM
annotate (3.1.1) annotate (3.1.1)
activerecord (>= 3.2, < 7.0) activerecord (>= 3.2, < 7.0)
rake (>= 10.4, < 14.0) rake (>= 10.4, < 14.0)
argon2 (2.1.1)
ffi (~> 1.14)
ffi-compiler (~> 1.0)
ast (2.4.2) ast (2.4.2)
autoprefixer-rails (10.3.3.0) autoprefixer-rails (10.3.3.0)
execjs (~> 2) execjs (~> 2)
@ -225,6 +228,9 @@ GEM
faraday-patron (1.0.0) faraday-patron (1.0.0)
faraday-rack (1.0.0) faraday-rack (1.0.0)
ffi (1.15.4) ffi (1.15.4)
ffi-compiler (1.0.1)
ffi (>= 1.0.0)
rake
ffi-libarchive (1.1.3) ffi-libarchive (1.1.3)
ffi (~> 1.0) ffi (~> 1.0)
fspath (3.1.2) fspath (3.1.2)
@ -498,6 +504,7 @@ DEPENDENCIES
active_record_union active_record_union
activerecord-import activerecord-import
annotate annotate
argon2
autoprefixer-rails autoprefixer-rails
aws-sdk-s3 aws-sdk-s3
better_errors better_errors

51
lib/password_hash.rb
View file

@ -1,51 +1,44 @@
require "securerandom" require "argon2"
require "openssl"
require "base64" require "base64"
require "digest/md5" require "digest/md5"
require "openssl"
require "securerandom"
module PasswordHash module PasswordHash
SALT_BYTE_SIZE = 32 FORMAT = Argon2::HashFormat.new(Argon2::Password.create(""))
HASH_BYTE_SIZE = 32
PBKDF2_ITERATIONS = 10000
DIGEST_ALGORITHM = "sha512".freeze
def self.create(password) def self.create(password)
salt = SecureRandom.base64(SALT_BYTE_SIZE) hash = Argon2::Password.create(password)
hash = self.hash(password, salt, PBKDF2_ITERATIONS, HASH_BYTE_SIZE, DIGEST_ALGORITHM) [hash, nil]
[hash, [DIGEST_ALGORITHM, PBKDF2_ITERATIONS, salt].join("!")]
end end
def self.check(hash, salt, candidate) def self.check(hash, salt, candidate)
if salt.nil? if Argon2::HashFormat.valid_hash?(hash)
candidate = Digest::MD5.hexdigest(candidate) Argon2::Password.verify_password(candidate, hash)
elsif salt.nil?
hash == Digest::MD5.hexdigest(candidate)
elsif salt.include?("!") elsif salt.include?("!")
algorithm, iterations, salt = salt.split("!") algorithm, iterations, salt = salt.split("!")
size = Base64.strict_decode64(hash).length size = Base64.strict_decode64(hash).length
candidate = self.hash(candidate, salt, iterations.to_i, size, algorithm) hash == pbkdf2(candidate, salt, iterations.to_i, size, algorithm)
else else
candidate = Digest::MD5.hexdigest(salt + candidate) hash == Digest::MD5.hexdigest(salt + candidate)
end end
hash == candidate
end end
def self.upgrade?(hash, salt) def self.upgrade?(hash, _salt)
if salt.nil? format = Argon2::HashFormat.new(hash)
return true
elsif salt.include?("!")
algorithm, iterations, salt = salt.split("!")
return true if Base64.strict_decode64(salt).length != SALT_BYTE_SIZE
return true if Base64.strict_decode64(hash).length != HASH_BYTE_SIZE
return true if iterations.to_i != PBKDF2_ITERATIONS
return true if algorithm != DIGEST_ALGORITHM
else
return true
end
false format.variant != FORMAT.variant ||
format.version != FORMAT.version ||
format.t_cost != FORMAT.t_cost ||
format.m_cost != FORMAT.m_cost ||
format.p_cost != FORMAT.p_cost
rescue Argon2::ArgonHashFail
true
end end
def self.hash(password, salt, iterations, size, algorithm) def self.pbkdf2(password, salt, iterations, size, algorithm)
digest = OpenSSL::Digest.new(algorithm) digest = OpenSSL::Digest.new(algorithm)
pbkdf2 = OpenSSL::PKCS5.pbkdf2_hmac(password, salt, iterations, size, digest) pbkdf2 = OpenSSL::PKCS5.pbkdf2_hmac(password, salt, iterations, size, digest)
Base64.strict_encode64(pbkdf2) Base64.strict_encode64(pbkdf2)

25
test/lib/password_hash_test.rb
View file

@ -25,14 +25,27 @@ class PasswordHashTest < ActiveSupport::TestCase
assert PasswordHash.check("3wYbPiOxk/tU0eeIDjUhdvi8aDP3AbFtwYKKxF1IhGg=", "sha512!10000!OUQLgtM7eD8huvanFT5/WtWaCwdOdrir8QOtFwxhO0A=", "password") assert PasswordHash.check("3wYbPiOxk/tU0eeIDjUhdvi8aDP3AbFtwYKKxF1IhGg=", "sha512!10000!OUQLgtM7eD8huvanFT5/WtWaCwdOdrir8QOtFwxhO0A=", "password")
assert_not PasswordHash.check("3wYbPiOxk/tU0eeIDjUhdvi8aDP3AbFtwYKKxF1IhGg=", "sha512!10000!OUQLgtM7eD8huvanFT5/WtWaCwdOdrir8QOtFwxhO0A=", "wrong") assert_not PasswordHash.check("3wYbPiOxk/tU0eeIDjUhdvi8aDP3AbFtwYKKxF1IhGg=", "sha512!10000!OUQLgtM7eD8huvanFT5/WtWaCwdOdrir8QOtFwxhO0A=", "wrong")
assert_not PasswordHash.check("3wYbPiOxk/tU0eeIDjUhdvi8aDP3AbFtwYKKxF1IhGg=", "sha512!10000!OUQLgtMwronguvanFT5/WtWaCwdOdrir8QOtFwxhO0A=", "password") assert_not PasswordHash.check("3wYbPiOxk/tU0eeIDjUhdvi8aDP3AbFtwYKKxF1IhGg=", "sha512!10000!OUQLgtMwronguvanFT5/WtWaCwdOdrir8QOtFwxhO0A=", "password")
assert_not PasswordHash.upgrade?("3wYbPiOxk/tU0eeIDjUhdvi8aDP3AbFtwYKKxF1IhGg=", "sha512!10000!OUQLgtM7eD8huvanFT5/WtWaCwdOdrir8QOtFwxhO0A=") assert PasswordHash.upgrade?("3wYbPiOxk/tU0eeIDjUhdvi8aDP3AbFtwYKKxF1IhGg=", "sha512!10000!OUQLgtM7eD8huvanFT5/WtWaCwdOdrir8QOtFwxhO0A=")
end
def test_argon2_upgradeable
assert PasswordHash.check("$argon2id$v=19$m=65536,t=1,p=1$KXGHWfWMf5H5kY4uU3ua8A$YroVvX6cpJpljTio62k19C6UpuIPtW7me2sxyU2dyYg", nil, "password")
assert_not PasswordHash.check("$argon2id$v=19$m=65536,t=1,p=1$KXGHWfWMf5H5kY4uU3ua8A$YroVvX6cpJpljTio62k19C6UpuIPtW7me2sxyU2dyYg", nil, "wrong")
assert PasswordHash.upgrade?("$argon2id$v=19$m=65536,t=1,p=1$KXGHWfWMf5H5kY4uU3ua8A$YroVvX6cpJpljTio62k19C6UpuIPtW7me2sxyU2dyYg", nil)
end
def test_argon2
assert PasswordHash.check("$argon2id$v=19$m=65536,t=2,p=1$b2E7zSvjT6TC5DXrqvfxwg$P4hly807ckgYc+kfvaf3rqmJcmKStzw+kV14oMaz8PQ", nil, "password")
assert_not PasswordHash.check("$argon2id$v=19$m=65536,t=2,p=1$b2E7zSvjT6TC5DXrqvfxwg$P4hly807ckgYc+kfvaf3rqmJcmKStzw+kV14oMaz8PQ", nil, "wrong")
assert_not PasswordHash.upgrade?("$argon2id$v=19$m=65536,t=2,p=1$b2E7zSvjT6TC5DXrqvfxwg$P4hly807ckgYc+kfvaf3rqmJcmKStzw+kV14oMaz8PQ", nil)
end end
def test_default def test_default
hash1, salt1 = PasswordHash.create("password") hash1, salt1 = PasswordHash.create("password")
hash2, salt2 = PasswordHash.create("password") hash2, salt2 = PasswordHash.create("password")
assert_not_equal hash1, hash2 assert_not_equal hash1, hash2
assert_not_equal salt1, salt2 assert_nil salt1
assert_nil salt2
assert PasswordHash.check(hash1, salt1, "password") assert PasswordHash.check(hash1, salt1, "password")
assert_not PasswordHash.check(hash1, salt1, "wrong") assert_not PasswordHash.check(hash1, salt1, "wrong")
assert PasswordHash.check(hash2, salt2, "password") assert PasswordHash.check(hash2, salt2, "password")
@ -40,4 +53,12 @@ class PasswordHashTest < ActiveSupport::TestCase
assert_not PasswordHash.upgrade?(hash1, salt1) assert_not PasswordHash.upgrade?(hash1, salt1)
assert_not PasswordHash.upgrade?(hash2, salt2) assert_not PasswordHash.upgrade?(hash2, salt2)
end end
def test_format
hash, _salt = PasswordHash.create("password")
format = Argon2::HashFormat.new(hash)
assert_equal "argon2id", format.variant
assert format.version <= 19
end
end end