Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Prologue Encryption - Docs for hashing utils provided by prologue + maybe swap to or offer openssl implementation? #172

Open
PhilippMDoerner opened this issue Jul 13, 2022 · 3 comments

Comments

@PhilippMDoerner
Copy link
Contributor

Heyho,

I've recently noticed that prologue offers its own hashing proc to allow simple pbkdf2_sha256 hashing, with an API similar to how its handled in Django. This is in the prologue/security/hasher module.

Suggestion 1) I think it would be useful to have a section in the quickstart docs that at least mention the hashing util procs there.

Secondly, from what I'm seeing, it is using nimcrypto to perform the hasing. From my own experience, using nimcrypto compared to openssl has a significant slowdown. Thus, and given that openssl is the more established library, I would want to make another suggestion.

Suggestion 2) Either replace the current pkdf2 hashing procs with one that makes use of openssl or alternatively just offer an alternative.
I already have an implementation as you might be aware of, since hotdog from the discord provided me with one:

from std/openssl import DLLSSLName, EVP_MD, EVP_sha256, EVP_MD_size, DLLUtilName

proc PKCS5_PBKDF2_HMAC(
  pass: cstring,
  passLen: cint,
  salt: cstring,
  saltLen: cint,
  iter: cint,
  digest: EVP_MD,
  keylen: cint,
  output: cstring
): cint {.cdecl, dynlib: DLLSSLName, importc: "PKCS5_PBKDF2_HMAC".}

proc EVP_MD_size_fixed*(md: EVP_MD): cint {.cdecl, dynlib: DLLUtilName, importc: "EVP_MD_size".}
proc EVP_sha256_fixed*(): EVP_MD    {.cdecl, dynlib: DLLUtilName, importc: "EVP_sha256".}

proc openssl_calculate_SHA256_pbkdf2_hash(password: string, salt: string, iterations: int, secretKey: string): string {.gcsafe.} =
  if iterations > cint.high: raise newException(ValueError, "iterations too high")
  let
    digest: EVP_MD = EVP_sha256_fixed()
    keylen: cint = EVP_MD_size_fixed(digest)
    output = newString(keylen)

    retVal = PKCS5_PBKDF2_HMAC(
      password.cstring,
      -1,
      salt.cstring,
      len(salt).cint,
      iterations.cint,
      digest,
      keylen,
      output[0].unsafeAddr
    )

  doAssert retVal == 1
  result = encode(output)

What is your opinion on that one @xflywind ?

@ringabout
Copy link
Member

Hi, hasher has already deprecated because of a typo =>

ref #140

The hash util is subtle. Imo it should be put in a separate library either or it can stay on the Prologue org.

@PhilippMDoerner
Copy link
Contributor Author

PhilippMDoerner commented Jul 13, 2022

What is the prologue org?
As for where to put it, I'm pretty ambivalent in that regard. If you prefer it could be one of the prologue extensions we have?

I would mostly want some level of docs on it, since crypto is one of those things that is immensely annoying to research when you want to do implement your password hashing.

@ringabout
Copy link
Member

If you prefer it could be one of the prologue extensions we have

Yeah, I agree. It can start from an extension/library.

What is the prologue org?

Sorry I mean https://github.com/planety. If you need access to https://github.com/planety, feel free to tell me.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

No branches or pull requests

2 participants