Noobaa Account: Replace bcrypt password hashing by crypto #8252
+57
−9
Conversation
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
As bcrypt is not under active maintenance, we need to replace it with node.js crypto hashing module. Signed-off-by: Ashish Pandey <aspandey@redhat.com>
aspandey
force-pushed
the
bcrypt-to-node-hash
branch
from
e19fea0
to
6a9f525
Compare
guymguym
requested changes
Aug 5, 2024
Comment on lines
+4
to
+38
| const CRYPTO_SALT_BUFFER_SIZE = 8; | ||
| const CRYPTO_SALT_KEY_LENGTH = 32; | ||
| const CRYPTO_PBKDF2_ITERATIONS = 100; | ||
|
|
||
| const crypto = require('crypto'); | ||
|
|
||
| function create_node_password_hash(password) { | ||
| return new Promise((resolve, reject) => { | ||
| const salt = crypto.randomBytes(CRYPTO_SALT_BUFFER_SIZE).toString('hex'); | ||
| crypto.pbkdf2(password, salt, CRYPTO_PBKDF2_ITERATIONS, CRYPTO_SALT_KEY_LENGTH, 'sha512', (err, derivedKey) => { | ||
| if (err) { | ||
| reject(err); | ||
| return err; | ||
| } | ||
| resolve(salt + ':' + derivedKey.toString('hex')); | ||
| }); | ||
| }); | ||
| } | ||
|
|
||
| function verify_node_password_hash(password, hashedPassword) { | ||
| return new Promise((resolve, reject) => { | ||
| const [salt, key] = hashedPassword.split(':'); | ||
| crypto.pbkdf2(password, salt, CRYPTO_PBKDF2_ITERATIONS, CRYPTO_SALT_KEY_LENGTH, 'sha512', (err, derivedKey) => { | ||
| if (err) { | ||
| reject(err); | ||
| return err; | ||
| } | ||
| resolve(key === derivedKey.toString('hex')); | ||
| }); | ||
| }); | ||
| } | ||
|
|
||
|
|
||
| exports.create_node_password_hash = create_node_password_hash; | ||
| exports.verify_node_password_hash = verify_node_password_hash; |
There was a problem hiding this comment.
I would call this new module password_utils and implement it with async await:
Suggested change
| const CRYPTO_SALT_BUFFER_SIZE = 8; | |
| const CRYPTO_SALT_KEY_LENGTH = 32; | |
| const CRYPTO_PBKDF2_ITERATIONS = 100; | |
| const crypto = require('crypto'); | |
| function create_node_password_hash(password) { | |
| return new Promise((resolve, reject) => { | |
| const salt = crypto.randomBytes(CRYPTO_SALT_BUFFER_SIZE).toString('hex'); | |
| crypto.pbkdf2(password, salt, CRYPTO_PBKDF2_ITERATIONS, CRYPTO_SALT_KEY_LENGTH, 'sha512', (err, derivedKey) => { | |
| if (err) { | |
| reject(err); | |
| return err; | |
| } | |
| resolve(salt + ':' + derivedKey.toString('hex')); | |
| }); | |
| }); | |
| } | |
| function verify_node_password_hash(password, hashedPassword) { | |
| return new Promise((resolve, reject) => { | |
| const [salt, key] = hashedPassword.split(':'); | |
| crypto.pbkdf2(password, salt, CRYPTO_PBKDF2_ITERATIONS, CRYPTO_SALT_KEY_LENGTH, 'sha512', (err, derivedKey) => { | |
| if (err) { | |
| reject(err); | |
| return err; | |
| } | |
| resolve(key === derivedKey.toString('hex')); | |
| }); | |
| }); | |
| } | |
| exports.create_node_password_hash = create_node_password_hash; | |
| exports.verify_node_password_hash = verify_node_password_hash; | |
| const HASH_PASSWORD_SALT_SIZE = 64; | |
| const HASH_PASSWORD_KEY_SIZE = 64; | |
| const HASH_PASSWORD_ITERATIONS = 100000; | |
| const HASH_PASSWORD_DIGEST = 'sha512'; | |
| const util = require('node:util'); | |
| const crypto = require('node:crypto'); | |
| const pbkdf2 = util.promisify(crypto.pbkdf2); | |
| async function derive_key(password, salt) { | |
| return pbkdf2(password, salt, HASH_PASSWORD_ITERATIONS, HASH_PASSWORD_KEY_SIZE, HASH_PASSWORD_DIGEST); | |
| } | |
| async function hash_password(password) { | |
| const salt = crypto.randomBytes(HASH_PASSWORD_SALT_SIZE); | |
| const key = derive_key(password, salt); | |
| return salt.toString('hex') + ':' + key.toString('hex'); | |
| } | |
| async function hash_compare(password, hash) { | |
| const [salt, verify_key] = hash.split(':'); | |
| const key = derive_key(password, salt); | |
| return crypto.timingSafeEqual(key, Buffer.from(verify_key, 'hex')); | |
| } | |
| exports.hash_password = hash_password; | |
| exports.hash_compare = hash_compare; |
There was a problem hiding this comment.
I am not so sure about the choice of numbers - iteration count, salt size, and key size...
I was looking at the nodejs docs - https://nodejs.org/api/crypto.html#cryptopbkdf2password-salt-iterations-keylen-digest-callback
The iterations argument must be a number set as high as possible. The higher the number of iterations, the more secure the derived key will be, but will take a longer amount of time to complete.
The salt should be as unique as possible. It is recommended that a salt is random and at least 16 bytes long. See NIST SP 800-132 for details.
Comment on lines
+27
to
+29
| if (bcrypt.compare(password.unwrap(), target_account.password.unwrap())) { | ||
| return true; | ||
| } |
There was a problem hiding this comment.
What is this supposed to do - are we still allowing previous bcyrpt?
This needs to be at least explained in a code comment.
| @@ -6,7 +6,8 @@ const _ = require('lodash'); | |||
| const net = require('net'); | |||
| const chance = require('chance')(); | |||
| const GoogleStorage = require('../../util/google_storage_wrap'); | |||
| const bcrypt = require('bcrypt'); | |||
| const node_hash = require('../../util/account_password_hash'); | |||
There was a problem hiding this comment.
I would call this new module password_utils
Suggested change
| const node_hash = require('../../util/account_password_hash'); | |
| const password_utils = require('../../util/password_utils'); |
Comment on lines
+1362
to
1365
| function crypto_password(password) { | ||
| return P.resolve() | ||
| .then(() => password && node_hash.create_node_password_hash(password)); | ||
| } |
There was a problem hiding this comment.
Better get rid of this P.resolve and use proper async function
| @@ -21,6 +22,14 @@ const config = require('../../../config'); | |||
| const s3_bucket_policy_utils = require('../../endpoint/s3/s3_bucket_policy_utils'); | |||
|
|
|||
|
|
|||
|
|
|||
| function compare_password_hash(password, target_account) { | |||
| if (bcrypt.compare(password.unwrap(), target_account.password.unwrap())) { | |||
There was a problem hiding this comment.
is bcrypt.compare a sync function call or async?
|
This PR had no activity for too long - it will now be labeled stale. Update it to prevent it from getting closed. |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
As bcrypt is not under active maintenance, we need to replace it with node.js crypto hashing module.
This PR is in line with #8213
IN this PR I tried to implement in-built node.js crypto module. Over all approach is same.
We just need to implement two addition functions to create hash and verify that hash.