Pbkdf2: Use it everywhere.

2021-01-14 15:06:16 +01:00 · 2021-01-14 15:06:16 +01:00 · 39f3683a06
commit 39f3683a06
parent 87a31c5c9b
21 changed files with 37 additions and 127 deletions
--- a/lib/pleroma/mfa.ex
+++ b/lib/pleroma/mfa.ex
@ -71,7 +71,7 @@ defmodule Pleroma.MFA do
  @spec generate_backup_codes(User.t()) :: {:ok, list(binary)} | {:error, String.t()}
  def generate_backup_codes(%User{} = user) do
    with codes <- BackupCodes.generate(),
-         hashed_codes <- Enum.map(codes, &Pleroma.Password.hash_pwd_salt/1),
+         hashed_codes <- Enum.map(codes, &Pleroma.Password.Pbkdf2.hash_pwd_salt/1),
         changeset <- Changeset.cast_backup_codes(user, hashed_codes),
         {:ok, _} <- User.update_and_set_cache(changeset) do
      {:ok, codes}
--- a/lib/pleroma/password.ex
+++ b/lib/pleroma/password.ex
@ -1,55 +0,0 @@
-# Pleroma: A lightweight social networking server
-# Copyright © 2017-2021 Pleroma Authors <https://pleroma.social/>
-# SPDX-License-Identifier: AGPL-3.0-only
-
-defmodule Pleroma.Password do
-  @moduledoc """
-  This module implements Pleroma.Password passwords in terms of Plug.Crypto.
-  """
-
-  alias Plug.Crypto.KeyGenerator
-
-  def decode64(str) do
-    str
-    |> String.replace(".", "+")
-    |> Base.decode64!(padding: false)
-  end
-
-  def encode64(bin) do
-    bin
-    |> Base.encode64(padding: false)
-    |> String.replace("+", ".")
-  end
-
-  def verify_pass(password, hash) do
-    ["pbkdf2-" <> digest, iterations, salt, hash] = String.split(hash, "$", trim: true)
-
-    salt = decode64(salt)
-
-    iterations = String.to_integer(iterations)
-
-    digest = String.to_atom(digest)
-
-    binary_hash =
-      KeyGenerator.generate(password, salt, digest: digest, iterations: iterations, length: 64)
-
-    encode64(binary_hash) == hash
-  end
-
-  def hash_pwd_salt(password, opts \\ []) do
-    salt =
-      Keyword.get_lazy(opts, :salt, fn ->
-        :crypto.strong_rand_bytes(16)
-      end)
-
-    digest = Keyword.get(opts, :digest, :sha512)
-
-    iterations =
-      Keyword.get(opts, :iterations, Pleroma.Config.get([:password, :iterations], 160_000))
-
-    binary_hash =
-      KeyGenerator.generate(password, salt, digest: digest, iterations: iterations, length: 64)
-
-    "$pbkdf2-#{digest}$#{iterations}$#{encode64(salt)}$#{encode64(binary_hash)}"
-  end
-end
--- a/lib/pleroma/password/pbkdf2.ex
+++ b/lib/pleroma/password/pbkdf2.ex
@ -4,7 +4,7 @@

 defmodule Pleroma.Password.Pbkdf2 do
  @moduledoc """
-  This module implements Pleroma.Password.Pbkdf2 passwords in terms of Plug.Crypto.
+  This module implements Pbkdf2 passwords in terms of Plug.Crypto.
  """

  alias Plug.Crypto.KeyGenerator
--- a/lib/pleroma/user.ex
+++ b/lib/pleroma/user.ex
@ -2187,7 +2187,7 @@ defmodule Pleroma.User do
  defp put_password_hash(
         %Ecto.Changeset{valid?: true, changes: %{password: password}} = changeset
       ) do
-    change(changeset, password_hash: Pleroma.Password.hash_pwd_salt(password))
+    change(changeset, password_hash: Pleroma.Password.Pbkdf2.hash_pwd_salt(password))
  end

  defp put_password_hash(changeset), do: changeset
--- a/lib/pleroma/web/plugs/authentication_plug.ex
+++ b/lib/pleroma/web/plugs/authentication_plug.ex
@ -48,7 +48,7 @@ defmodule Pleroma.Web.Plugs.AuthenticationPlug do
  end

  def checkpw(password, "$pbkdf2" <> _ = password_hash) do
-    Pleroma.Password.verify_pass(password, password_hash)
+    Pleroma.Password.Pbkdf2.verify_pass(password, password_hash)
  end

  def checkpw(_password, _password_hash) do