Merge pull request #2773 from matrix-org/erikj/hash_bg

Do bcrypt hashing in a background thread
2018-01-10 18:11:41 +00:00 · 2018-01-10 18:11:41 +00:00 · 825a07a974
parent b9e4a97922 f8e1ab5fee
commit 825a07a974
3 changed files with 18 additions and 10 deletions
--- a/synapse/handlers/auth.py
+++ b/synapse/handlers/auth.py
@ -13,7 +13,7 @@
 # WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
 # See the License for the specific language governing permissions and
 # limitations under the License.
-from twisted.internet import defer
+from twisted.internet import defer, threads
 from ._base import BaseHandler
 from synapse.api.constants import LoginType
@ -25,6 +25,7 @@ from synapse.module_api import ModuleApi
 from synapse.types import UserID
 from synapse.util.async import run_on_reactor
 from synapse.util.caches.expiringcache import ExpiringCache
 from synapse.util.logcontext import make_deferred_yieldable
 from twisted.web.client import PartialDownloadError
@ -714,7 +715,7 @@ class AuthHandler(BaseHandler):
        if not lookupres:
            defer.returnValue(None)
        (user_id, password_hash) = lookupres
-        result = self.validate_hash(password, password_hash)
+        result = yield self.validate_hash(password, password_hash)
        if not result:
            logger.warn("Failed password login for user %s", user_id)
            defer.returnValue(None)
@ -842,10 +843,13 @@ class AuthHandler(BaseHandler):
            password (str): Password to hash.
        Returns:
-            Hashed password (str).
+            Deferred(str): Hashed password.
        """
-        return bcrypt.hashpw(password.encode('utf8') + self.hs.config.password_pepper,
+        def _do_hash():
-                             bcrypt.gensalt(self.bcrypt_rounds))
+            return bcrypt.hashpw(password.encode('utf8') + self.hs.config.password_pepper,
                                 bcrypt.gensalt(self.bcrypt_rounds))
        return make_deferred_yieldable(threads.deferToThread(_do_hash))
    def validate_hash(self, password, stored_hash):
        """Validates that self.hash(password) == stored_hash.
@ -855,13 +859,17 @@ class AuthHandler(BaseHandler):
            stored_hash (str): Expected hash value.
        Returns:
-            Whether self.hash(password) == stored_hash (bool).
+            Deferred(bool): Whether self.hash(password) == stored_hash.
        """
-        if stored_hash:
+
        def _do_validate_hash():
            return bcrypt.hashpw(password.encode('utf8') + self.hs.config.password_pepper,
                                 stored_hash.encode('utf8')) == stored_hash
        if stored_hash:
            return make_deferred_yieldable(threads.deferToThread(_do_validate_hash))
        else:
-            return False
+            return defer.succeed(False)
 class MacaroonGeneartor(object):
--- a/synapse/handlers/register.py
+++ b/synapse/handlers/register.py
@ -131,7 +131,7 @@ class RegistrationHandler(BaseHandler):
        yield run_on_reactor()
        password_hash = None
        if password:
-            password_hash = self.auth_handler().hash(password)
+            password_hash = yield self.auth_handler().hash(password)
        if localpart:
            yield self.check_username(localpart, guest_access_token=guest_access_token)
--- a/synapse/handlers/set_password.py
+++ b/synapse/handlers/set_password.py
@ -31,7 +31,7 @@ class SetPasswordHandler(BaseHandler):
    @defer.inlineCallbacks
    def set_password(self, user_id, newpassword, requester=None):
-        password_hash = self._auth_handler.hash(newpassword)
+        password_hash = yield self._auth_handler.hash(newpassword)
        except_device_id = requester.device_id if requester else None
        except_access_token_id = requester.access_token_id if requester else None