Added option of using fastpbkdf2.

Racum · Racum · commit ce58f8525242 · 2016-03-22T01:43:00.000-03:00
diff --git a/CHANGELOG.md b/CHANGELOG.md
@@ -3,6 +3,12 @@
 All notable changes to this project will be documented in this file.
 This project adheres to [Semantic Versioning](http://semver.org/).
 
+## [0.2.0] - 2016-03-22
+
+### Added
+
+- Option of using fastpbkdf2 (requires OpenSSL to build).
+
 ## [0.1.0] - 2016-01-01
 
 ### Added
diff --git a/Cargo.toml b/Cargo.toml
@@ -1,6 +1,6 @@
 [package]
 name = "djangohashers"
-version = "0.1.0"
+version = "0.2.0"
 authors = ["Ronaldo Racum <ronaldo@racum.com>"]
 license = "BSD-3-Clause"
 readme = "README.md"
@@ -13,8 +13,13 @@ doc = true
 doctest = false
 bench = true
 
+[features]
+default = []
+fpbkdf2 = ["fastpbkdf2"]
+
 [dependencies]
 rust-crypto = "^0.2"
 bcrypt = "^0.1"
 rustc-serialize = "^0.3"
 rand = "^0.3"
+fastpbkdf2 = { version = "0.1.0", optional = true }
diff --git a/README.md b/README.md
@@ -14,7 +14,7 @@ Add the dependency to your `Cargo.toml`:
 
 ```toml
 [dependencies]
-djangohashers = "^0.1"
+djangohashers = "0.2.0"
 ```
 
 Reference and import:
@@ -29,6 +29,47 @@ use djangohashers::*;
 use djangohashers::{check_password, make_password, Algorithm};
 ```
 
+## Fast PBKDF2 Version
+
+Unfortunately rust-crypto’s implementation of PBKDF2 is not properly optimized: it does not adheres to the loop inlines and buffering used in [modern implementations](https://jbp.io/2015/08/11/pbkdf2-performance-matters/). The package [fastpbkdf2](https://github.com/ctz/rust-fastpbkdf2) uses a C-binding of a [library](https://github.com/ctz/fastpbkdf2) that requires OpenSSL.
+
+### Instalation
+
+Add the dependency to your `Cargo.toml` declaring the feature:
+
+```toml
+[dependencies.djangohashers]
+version = "0.2.0"
+features = ["fpbkdf2"]
+```
+
+You need to install OpenSSL and set the environment variable to make it visible to the compiler; this changes depending on the operation system and package manager, for example, in OS X with MacPorts you may need to do something like this:
+
+```
+$ sudo port install openssl
+$ CFLAGS="-I/opt/local/include" cargo ...
+```
+
+For other OSs and package managers, [follow the guide](https://cryptography.io/en/latest/installation/) of how to install Python’s **Cryptography** dependencies, that also links against OpenSSL.
+
+### Performance
+
+Method  | Encode or Check | Performance
+------- | --------------- | -------
+Django 1.9.4 | 29.5ms | Baseline
+djangohashers with rust-crypto 0.2.34 (default) | 41.7ms | 41% slower
+djangohashers with fastpbkdf2 0.1.0 | 23.1ms | 28% faster
+
+Notes:
+
+* Best of 5 rounds of 100 events.
+* Built with `--release`.
+* PBKDF2 using SHA256 and iteration count set to 24000.
+* Django version tested with CPython 3.5.1
+* Rust/fastpbkdf2 version tested with Rust 1.6.0 and OpenSSL 1.0.2g.
+* iMac Mid 2010 with an Intel Core i3 3.2Ghz and 16GB of RAM, running OS X 10.11.3.
+
+
 ## Compatibility
 
 DjangoHashers passes all relevant unit tests from Django 1.9, there is even a [line-by-line translation](https://github.com/Racum/rust-djangohashers/blob/master/tests/django.rs) of [tests/auth_tests/test_hashers.py](https://github.com/django/django/blob/e403f22/tests/auth_tests/test_hashers.py).
diff --git a/src/crypto_utils.rs b/src/crypto_utils.rs
@@ -4,32 +4,55 @@ extern crate rustc_serialize;
 extern crate crypto;
 extern crate bcrypt;
 
+#[cfg(fpbkdf2)]
+extern crate fastpbkdf2;
+
 use self::rustc_serialize::base64::{STANDARD, ToBase64};
 use self::crypto::digest::Digest;
-use self::crypto::hmac::Hmac;
 use self::crypto::sha2::Sha256;
 use self::crypto::sha1::Sha1;
 use self::crypto::md5::Md5;
+
+#[cfg(not(fpbkdf2))]
+use self::crypto::hmac::Hmac;
+#[cfg(not(fpbkdf2))]
 use self::crypto::pbkdf2::pbkdf2;
+#[cfg(fpbkdf2)]
+use self::fastpbkdf2::{pbkdf2_hmac_sha1, pbkdf2_hmac_sha256};
 
 pub use self::bcrypt::hash as hash_bcrypt;
 pub use self::bcrypt::verify as verify_bcrypt;
 
-
+#[cfg(not(fpbkdf2))]
 pub fn hash_pbkdf2_sha256(password: &str, salt: &str, iterations: u32) -> String {
     let mut mac = Hmac::new(Sha256::new(), &password.as_bytes());
     let mut result = [0u8; 32];
     pbkdf2(&mut mac, &salt.as_bytes(), iterations, &mut result);
     result.to_base64(STANDARD)
 }
 
+#[cfg(fpbkdf2)]
+pub fn hash_pbkdf2_sha256(password: &str, salt: &str, iterations: u32) -> String {
+    let mut result = [0u8; 32];
+    pbkdf2_hmac_sha256(&password.as_bytes(), &salt.as_bytes(), iterations, &mut result);
+    result.to_base64(STANDARD)
+}
+
+#[cfg(not(fpbkdf2))]
 pub fn hash_pbkdf2_sha1(password: &str, salt: &str, iterations: u32) -> String {
     let mut mac = Hmac::new(Sha1::new(), &password.as_bytes());
     let mut result = [0u8; 20];
     pbkdf2(&mut mac, &salt.as_bytes(), iterations, &mut result);
     result.to_base64(STANDARD)
 }
 
+#[cfg(fpbkdf2)]
+pub fn hash_pbkdf2_sha1(password: &str, salt: &str, iterations: u32) -> String {
+    let mut result = [0u8; 20];
+    pbkdf2_hmac_sha1(&password.as_bytes(), &salt.as_bytes(), iterations, &mut result);
+    result.to_base64(STANDARD)
+}
+
 pub fn hash_sha1(password: &str, salt: &str) -> String {
     let mut sha = Sha1::new();
     sha.input_str(salt);
