PERF: Use OpenSSL::KDF for Pbkdf2 implementation (#20982)

This was introduced to the standard library in Ruby 2.4. In my testing, it produces the same result, and is around 8x faster than our pure-ruby implementation

Gemfile

@@ -71,8 +71,6 @@ gem "rails_multisite"
 
 gem "fast_xs", platform: :ruby
 
-gem "xorcist"
-
 gem "fastimage"
 
 gem "aws-sdk-s3", require: false

Gemfile.lock

@@ -514,7 +514,6 @@ GEM
       hashdiff (>= 0.4.0, < 2.0.0)
     webrick (1.7.0)
     websocket (1.2.9)
-    xorcist (1.1.3)
     xpath (3.2.0)
       nokogiri (~> 1.8)
     yaml-lint (0.1.2)
@@ -666,7 +665,6 @@ DEPENDENCIES
   webdrivers
   webmock
   webrick
-  xorcist
   yaml-lint
   yard
 

lib/pbkdf2.rb

@@ -1,28 +1,13 @@
 # frozen_string_literal: true
 
-# Note: This logic was originally extracted from the Pbkdf2 gem to fix Ruby 2.0
-# issues, but that gem has gone stale so we won't be returning to it.
-
-require "openssl"
-require "xorcist"
-
 class Pbkdf2
-  def self.hash_password(password, salt, iterations, algorithm = "sha256")
+  def self.hash_password(password, salt, iterations, algorithm = "sha256", length: 32)
-    h = OpenSSL::Digest.new(algorithm)
+    OpenSSL::KDF.pbkdf2_hmac(
-
+      password,
-    u = ret = prf(h, password, salt + [1].pack("N"))
+      salt: salt,
-
+      iterations: iterations,
-    2.upto(iterations) do
+      length: length,
-      u = prf(h, password, u)
+      hash: algorithm,
-      Xorcist.xor!(ret, u)
+    ).unpack1("H*")
-    end
-
-    ret.bytes.map { |b| ("0" + b.to_s(16))[-2..-1] }.join("")
-  end
-
-  protected
-
-  def self.prf(hash_function, password, data)
-    OpenSSL::HMAC.digest(hash_function, password, data)
   end
 end