Skip to content
Snippets Groups Projects
Commit e91b9a39 authored by Guillaume ROUSSE's avatar Guillaume ROUSSE
Browse files

use php-compatible bcrypt hash instead of SHA256

parent b6db02da
Branches
Tags
No related merge requests found
...@@ -107,7 +107,7 @@ sub add_account { ...@@ -107,7 +107,7 @@ sub add_account {
scope => $configuration->{idp}->{scope}, scope => $configuration->{idp}->{scope},
password => $password, password => $password,
password_crypt => AccessCheck::Tools::encrypt($password, $key), password_crypt => AccessCheck::Tools::encrypt($password, $key),
password_hash => AccessCheck::Tools::sha256_hash($password), password_hash => AccessCheck::Tools::hash($password),
token => $secret, token => $secret,
creation_date => DateTime->now(), creation_date => DateTime->now(),
expiration_date => DateTime->now()->add(days => $validity_period) expiration_date => DateTime->now()->add(days => $validity_period)
......
...@@ -79,7 +79,7 @@ sub run { ...@@ -79,7 +79,7 @@ sub run {
scope => $config->{idp}->{scope}, scope => $config->{idp}->{scope},
password => $password, password => $password,
password_crypt => AccessCheck::Tools::encrypt($password, $key), password_crypt => AccessCheck::Tools::encrypt($password, $key),
password_hash => AccessCheck::Tools::sha256_hash($password), password_hash => AccessCheck::Tools::hash($password),
token => $download_token->secret(), token => $download_token->secret(),
creation_date => $creation_date, creation_date => $creation_date,
expiration_date => $account_expiration_date, expiration_date => $account_expiration_date,
......
...@@ -2,7 +2,8 @@ package AccessCheck::Tools; ...@@ -2,7 +2,8 @@ package AccessCheck::Tools;
use Mojo::Base -strict; use Mojo::Base -strict;
use Digest::SHA; use Crypt::Bcrypt;
use Crypt::OpenSSL::Random ();
use Encode; use Encode;
use English qw(-no_match_vars); use English qw(-no_match_vars);
use List::Util qw(shuffle); use List::Util qw(shuffle);
...@@ -13,6 +14,12 @@ use Template::Constants qw(:chomp); ...@@ -13,6 +14,12 @@ use Template::Constants qw(:chomp);
use AccessCheck::Template::Plugin::Quote; use AccessCheck::Template::Plugin::Quote;
use constant {
SIG_BCRYPT => '2y',
PASSWORD_BCRYPT_DEFAULT_COST => 10,
PASSWORD_BCRYPT_MAX_PASSWORD_LEN => 72,
};
sub encrypt { sub encrypt {
my ($string, $key) = @_; my ($string, $key) = @_;
...@@ -42,11 +49,26 @@ sub otp { ...@@ -42,11 +49,26 @@ sub otp {
return join('', @chars); return join('', @chars);
} }
# get SHA256 hash for a string # shamelessly stolen from PHP::Functions::Password
sub sha256_hash { # https://metacpan.org/dist/PHP-Functions-Password/source/lib/PHP/Functions/Password.pm
my ($s) = @_; sub hash {
my ($string) = @_;
my $salt = Crypt::OpenSSL::Random::random_bytes(16);
my $cost = PASSWORD_BCRYPT_DEFAULT_COST;
# Treat passwords as strings of bytes
# "\x{100}" becomes "\xc4\x80"; preferred equivalent of Encode::is_utf8($string) && Encode::_utf8_off($password);
utf8::is_utf8($string) && utf8::encode($string);
# Everything beyond the max password length in bytes for bcrypt is silently ignored.
require bytes;
if (bytes::length($string) > PASSWORD_BCRYPT_MAX_PASSWORD_LEN) {
# $string is already bytes, so the bytes:: prefix is redundant here
$string = substr($string, 0, PASSWORD_BCRYPT_MAX_PASSWORD_LEN);
}
return Digest::SHA::sha256_base64($s); return Crypt::Bcrypt::bcrypt($string, SIG_BCRYPT, $cost, $salt);
} }
sub generate_password { sub generate_password {
......
0% Loading or .
You are about to add 0 people to the discussion. Proceed with caution.
Please register or to comment