Using peppers with Crypt::Passphrase

Recalling Crypt::Passphrase

Crypt::Passphrase is a module for managing passwords. It allows you to separate policy and mechanism, meaning that the code that polices authorization doesn’t have to know anything about what algorithms are used behind the screen, and vice-versa; thus making for a cryptographically agile system.

It’s not only handling the technical details of password hashes for you but also it deals with a variety of schemes. It’s especially useful for transitioning between them.

A configuration might look like this (Koha):

My 2023 in Perl

2023 was a rather productive year for me on CPAN. Aided by taking some time off I managed to release a whopping 18 new modules.

Passwords

Half of my new modules were related to my password framework Crypt::Passphrase. To be honest most of them are either small (± 100 LOC) glue two or three other pieces of code together. And then there was Crypt::HSM, a PKCS11 interface (to use cryptographic hardware without exposing cryptographic keys) that was probably more work (2600 LOC of XS) than the others combined.

Most of this was with the aim to add peppering support to Crypt::Passphrase, a subject extensive enough that I should probably dedicate a separate blogpost to it.

Some tricks for prettier xs

XS has a reputation of being ugly and cumbersome, but in my experience, it doesn't have to be. Let's take for example this snippet from my Thread::Csp::Promise class:

MODULE = Thread::Csp PACKAGE = Thread::Csp::Promise PREFIX = promise_

SV* promise_get(Promise* promise)

bool promise_is_finished(Promise* promise)

SV* promise_get_notifier(Promise* promise)

My new modules in 2021

Perl

I had a reasonably productive year, releasing several modules that I think/hope are useful for the wider ecosystem.

Crypt::Passphrase

This module manages the passwords in a cryptographically agile manner. That means that it can not only verify passwords using different ciphers, but it also aids in gradually upgrading passwords hashed with an outdated cipher (or outdated settings) to the current one; for example when you want to upgrade from bcrypt to argon2. Password hashing is both a rather common form of cryptography, and one that is more subject to change than others; you should probably reevaluate your password handling every couple of years. With this module, you can initiate such a transition with a simple configuration change.

This also includes a number of extension distributions (e.g. Crypt::Passphrase::Argon2, Crypt::Passphrase::Bcrypt, etc…), and one new backend module (Crypt::Bcrypt)

Thread::Csp

My most ambitious project of the year by far. It's actually been in the making for a decade, full of lessons learned in my previous attempt. Thread::Csp is a new threading library (build on ithreads primitives, but not on threads.pm and doesn't clone whole interpreters); it is based on Communicating Sequential Processes (hence the name), the same model that Go uses (in particular for its channels).

I firmly believe share-nothing message-passing models of multi-threading are the overlap between what is useful and what is realistically possible given the current interpreter.

autocroak

This is essentially an autodie replacement with one important difference: it's based on opcode overrides instead of function overrides. This means not only that it interacts better with other pragmas, but also that it can support keywords that can not easily be overriden (such as print and system). It should also give less weird edge-cases than autodie.

Raku

I didn't produce as much Raku code this year, most of my Raku energy went into writing a series of blog posts that eventually I made a conference presentation instead.

Crypt::Passphrase

This was a port of the previously mentioned Perl module. It doesn't quite have the backend ecosystem that its big brother has, but given that there's a lot less legacy software in Raku that's not all that much of a problem.

Net::MQTT

A friend complained about the lack of MQTT support in Raku, and binary protocols just happen to be something I have a lot of experience with, so I implemented an MQTT client. While arguably this is the least useful module of the bunch, it was the most fun to write. Raku's typesystem and integrated event loop made this experience a lot smoother than they would have been in other languages.

The Witch and the Witch-hunt

A lot has been said about the recent CAT report and updates. It feels to me like we're not getting anywhere because the critical matters aren't being addressed.