commit: c7cd9bd5911f8393fa758e329f8786913a5c321f
parent f917285b72dbc770be40478e1a55973f29d5db7d
Author: lain <lain@soykaf.club>
Date: Wed, 13 Jan 2021 15:09:01 +0100
Password: Add password module
Replaces Pbkdf2.
Diffstat:
3 files changed, 91 insertions(+), 1 deletion(-)
diff --git a/config/test.exs b/config/test.exs
@@ -53,7 +53,7 @@ config :pleroma, Pleroma.Repo,
config :pleroma, :dangerzone, override_repo_pool_size: true
# Reduce hash rounds for testing
-config :pbkdf2_elixir, rounds: 1
+config :pleroma, :password, iterations: 1
config :tesla, adapter: Tesla.Mock
diff --git a/lib/pleroma/password.ex b/lib/pleroma/password.ex
@@ -0,0 +1,55 @@
+# Pleroma: A lightweight social networking server
+# Copyright © 2017-2021 Pleroma Authors <https://pleroma.social/>
+# SPDX-License-Identifier: AGPL-3.0-only
+
+defmodule Pleroma.Password do
+ @moduledoc """
+ This module implements Pleroma.Password passwords in terms of Plug.Crypto.
+ """
+
+ alias Plug.Crypto.KeyGenerator
+
+ def decode64(str) do
+ str
+ |> String.replace(".", "+")
+ |> Base.decode64!(padding: false)
+ end
+
+ def encode64(bin) do
+ bin
+ |> Base.encode64(padding: false)
+ |> String.replace("+", ".")
+ end
+
+ def verify_pass(password, hash) do
+ ["pbkdf2-" <> digest, iterations, salt, hash] = String.split(hash, "$", trim: true)
+
+ salt = decode64(salt)
+
+ iterations = String.to_integer(iterations)
+
+ digest = String.to_atom(digest)
+
+ binary_hash =
+ KeyGenerator.generate(password, salt, digest: digest, iterations: iterations, length: 64)
+
+ encode64(binary_hash) == hash
+ end
+
+ def hash_pwd_salt(password, opts \\ []) do
+ salt =
+ Keyword.get_lazy(opts, :salt, fn ->
+ :crypto.strong_rand_bytes(16)
+ end)
+
+ digest = Keyword.get(opts, :digest, :sha512)
+
+ iterations =
+ Keyword.get(opts, :iterations, Pleroma.Config.get([:password, :iterations], 160_000))
+
+ binary_hash =
+ KeyGenerator.generate(password, salt, digest: digest, iterations: iterations, length: 64)
+
+ "$pbkdf2-#{digest}$#{iterations}$#{encode64(salt)}$#{encode64(binary_hash)}"
+ end
+end
diff --git a/test/pleroma/password_test.exs b/test/pleroma/password_test.exs
@@ -0,0 +1,35 @@
+# Pleroma: A lightweight social networking server
+# Copyright © 2017-2021 Pleroma Authors <https://pleroma.social/>
+# SPDX-License-Identifier: AGPL-3.0-only
+
+defmodule Pleroma.PasswordTest do
+ use Pleroma.DataCase, async: true
+
+ alias Pleroma.Password
+
+ test "it generates the same hash as pbkd2_elixir" do
+ # hash = Pleroma.Password.hash_pwd_salt("password")
+ hash =
+ "$pbkdf2-sha512$1$QJpEYw8iBKcnY.4Rm0eCVw$UBPeWQ91RxSv3snxsb/ZzMeG/2aa03c541bbo8vQudREGNta5t8jBQrd00fyJp8RjaqfvgdZxy2rhSwljyu21g"
+
+ # Use the same randomly generated salt
+ salt = Password.decode64("QJpEYw8iBKcnY.4Rm0eCVw")
+
+ assert hash == Password.hash_pwd_salt("password", salt: salt)
+ end
+
+ @tag skip: "Works when Pbkd2 is present. Source: trust me bro"
+ test "Pleroma.Password can verify passwords generated with it" do
+ hash = Password.hash_pwd_salt("password")
+
+ assert Pleroma.Password.verify_pass("password", hash)
+ end
+
+ test "it verifies pbkdf2_elixir hashes" do
+ # hash = Pleroma.Password.hash_pwd_salt("password")
+ hash =
+ "$pbkdf2-sha512$1$QJpEYw8iBKcnY.4Rm0eCVw$UBPeWQ91RxSv3snxsb/ZzMeG/2aa03c541bbo8vQudREGNta5t8jBQrd00fyJp8RjaqfvgdZxy2rhSwljyu21g"
+
+ assert Password.verify_pass("password", hash)
+ end
+end
