diff options
author | Kent Shikama <kent@kentshikama.com> | 2016-07-05 02:13:52 +0900 |
---|---|---|
committer | Kent Shikama <kent@kentshikama.com> | 2016-07-05 02:13:52 +0900 |
commit | 8bdaf5f7afaee98a8cf25d2fb170fe4b2aa97f3d (patch) | |
tree | 07006dbee1224befeec0939b5ee7c423ac46d416 /synapse | |
parent | Merge pull request #905 from KentShikama/add-password-hash (diff) | |
download | synapse-8bdaf5f7afaee98a8cf25d2fb170fe4b2aa97f3d.tar.xz |
Add pepper to password hashing
Signed-off-by: Kent Shikama <kent@kentshikama.com>
Diffstat (limited to '')
-rw-r--r-- | synapse/config/password.py | 6 | ||||
-rw-r--r-- | synapse/handlers/auth.py | 5 |
2 files changed, 8 insertions, 3 deletions
diff --git a/synapse/config/password.py b/synapse/config/password.py index dec801ef41..ea822f2bb5 100644 --- a/synapse/config/password.py +++ b/synapse/config/password.py @@ -23,10 +23,14 @@ class PasswordConfig(Config): def read_config(self, config): password_config = config.get("password_config", {}) self.password_enabled = password_config.get("enabled", True) + self.pepper = password_config.get("pepper", "") def default_config(self, config_dir_path, server_name, **kwargs): return """ # Enable password for login. password_config: enabled: true - """ + # Uncomment for extra security for your passwords. + # DO NOT CHANGE THIS AFTER INITIAL SETUP! + #pepper: "HR32t0xZcQnzn3O0ZkEVuetdFvH1W6TeEPw6JjH0Cl+qflVOseGyFJlJR7ACLnywjN9" + """ \ No newline at end of file diff --git a/synapse/handlers/auth.py b/synapse/handlers/auth.py index 968095c141..fd5fadf73d 100644 --- a/synapse/handlers/auth.py +++ b/synapse/handlers/auth.py @@ -750,7 +750,7 @@ class AuthHandler(BaseHandler): Returns: Hashed password (str). """ - return bcrypt.hashpw(password, bcrypt.gensalt(self.bcrypt_rounds)) + return bcrypt.hashpw(password + self.hs.config.password_config.pepper, bcrypt.gensalt(self.bcrypt_rounds)) def validate_hash(self, password, stored_hash): """Validates that self.hash(password) == stored_hash. @@ -763,6 +763,7 @@ class AuthHandler(BaseHandler): Whether self.hash(password) == stored_hash (bool). """ if stored_hash: - return bcrypt.hashpw(password, stored_hash.encode('utf-8')) == stored_hash + return bcrypt.hashpw(password + self.hs.config.password_config.pepper, + stored_hash.encode('utf-8')) == stored_hash else: return False |