Add pepper to password hashing

Signed-off-by: Kent Shikama <kent@kentshikama.com>
author: Kent Shikama <kent@kentshikama.com> 2016-07-05 02:13:52 +0900
committer: Kent Shikama <kent@kentshikama.com> 2016-07-05 02:13:52 +0900
commit: 8bdaf5f7afaee98a8cf25d2fb170fe4b2aa97f3d (patch)
tree: 07006dbee1224befeec0939b5ee7c423ac46d416 /synapse/handlers/auth.py
parent: Merge pull request #905 from KentShikama/add-password-hash (diff)
download: synapse-8bdaf5f7afaee98a8cf25d2fb170fe4b2aa97f3d.tar.xz
1 files changed, 3 insertions, 2 deletions
diff --git a/synapse/handlers/auth.py b/synapse/handlers/auth.py
index 968095c141..fd5fadf73d 100644
--- a/synapse/handlers/auth.py
+++ b/synapse/handlers/auth.py
@@ -750,7 +750,7 @@ class AuthHandler(BaseHandler):
         Returns:
             Hashed password (str).
         """
-        return bcrypt.hashpw(password, bcrypt.gensalt(self.bcrypt_rounds))
+        return bcrypt.hashpw(password + self.hs.config.password_config.pepper, bcrypt.gensalt(self.bcrypt_rounds))
 
     def validate_hash(self, password, stored_hash):
         """Validates that self.hash(password) == stored_hash.
@@ -763,6 +763,7 @@ class AuthHandler(BaseHandler):
             Whether self.hash(password) == stored_hash (bool).
         """
         if stored_hash:
-            return bcrypt.hashpw(password, stored_hash.encode('utf-8')) == stored_hash
+            return bcrypt.hashpw(password + self.hs.config.password_config.pepper,
+                                 stored_hash.encode('utf-8')) == stored_hash
         else:
             return False
author	Kent Shikama <kent@kentshikama.com>	2016-07-05 02:13:52 +0900
committer	Kent Shikama <kent@kentshikama.com>	2016-07-05 02:13:52 +0900
commit	8bdaf5f7afaee98a8cf25d2fb170fe4b2aa97f3d (patch)
tree	07006dbee1224befeec0939b5ee7c423ac46d416 /synapse/handlers/auth.py
parent	Merge pull request #905 from KentShikama/add-password-hash (diff)
download	synapse-8bdaf5f7afaee98a8cf25d2fb170fe4b2aa97f3d.tar.xz