diff options
| author | varac <varacanero@zeromail.org> | 2015-06-11 22:29:44 +0200 |
|---|---|---|
| committer | varac <varacanero@zeromail.org> | 2015-06-11 22:29:44 +0200 |
| commit | e0754c2672a5a98219376dfea10b3654333310c0 (patch) | |
| tree | db3896808ae72b8b9ee2db613a96e4e1d3599e39 /lib | |
| parent | c67248cd74eb91854e5841d27572e630efec0f62 (diff) | |
added pbkdf2 function for hashing passwords using the pbkdf2 algorithm
i.e., couchdb v1.3 changed the default pw hashing algorithm from
sha1 to pbkdf2, see http://docs.couchdb.org/en/1.4.x/configuring.html
Diffstat (limited to 'lib')
| -rw-r--r-- | lib/puppet/parser/functions/pbkdf2.rb | 62 |
1 files changed, 62 insertions, 0 deletions
diff --git a/lib/puppet/parser/functions/pbkdf2.rb b/lib/puppet/parser/functions/pbkdf2.rb new file mode 100644 index 0000000..46400c9 --- /dev/null +++ b/lib/puppet/parser/functions/pbkdf2.rb @@ -0,0 +1,62 @@ +# +# pbkdf2.rb +# + +module Puppet::Parser::Functions + newfunction(:pbkdf2, :type => :rvalue, :doc => <<-EOS +This converts a password and a salt (and optional iterations and keylength +parameters) to a hash containing the salted SHA1 password hash, salt, +iterations and keylength. +pbkdf2 is used i.e. for couchdb passwords since v1.3. + +Example usage: + $pbkdf2 = pbkdf2($::couchdb::admin_pw, $::couchdb::admin_salt) + $sha1 = $pbkdf2['sha1'] +EOS + ) do |arguments| + require 'openssl' + require 'base64' + + raise(Puppet::ParseError, "pbkdf2(): Wrong number of arguments " + + "passed (#{arguments.size} but we require at least 2)") if arguments.size < 2 + + unless arguments.is_a?(Array) + raise(Puppet::ParseError, 'pbkdf2(): Requires a ' + + "Array argument, you passed: #{password.class}") + end + + password = arguments[0] + salt = arguments[1] + + if arguments.size > 2 + iterations = arguments[2].to_i + else + iterations = 1000 + end + + if arguments.size > 3 + keylength = arguments[3].to_i + else + keylength = 20 + end + + pbkdf2 = OpenSSL::PKCS5::pbkdf2_hmac_sha1( + password, + salt, + iterations, + keylength + ) + + return_hash = Hash.new() + # return hex encoded string + return_hash['sha1'] = pbkdf2.unpack('H*')[0] + return_hash['password'] = password + return_hash['salt'] = salt + return_hash['iterations'] = iterations + return_hash['keylength'] = keylength + + return return_hash + end +end + +# vim: set ts=2 sw=2 et : |