synced/coder
1
0
Fork 0
mirror of https://github.com/coder/coder.git synced 2025-07-03 16:13:58 +00:00
Code Issues Packages Projects Releases Wiki Activity

fix: user passwords cleanup (#1202)

Browse Source 
1. Adds benchmarks comparing bcrypt and our pbkdf2 settings
1. Changes the pbkdf2 hash iterations back to 65k. 1024 is insecure
1. Gets rid of the short circuit when the user isn't found, preventing
   timing attacks which can reveal which emails exist on a deployment

```
$ go test -bench .
goos: linux
goarch: amd64
pkg: github.com/coder/coder/coderd/userpassword
cpu: Intel(R) Core(TM) i9-9900K CPU @ 3.60GHz
BenchmarkBcryptMinCost-16        	    1651	    702727 ns/op	    5165 B/op      10 allocs/op
BenchmarkPbkdf2MinCost-16        	    1669	    714843 ns/op	     804 B/op      10 allocs/op
BenchmarkBcryptDefaultCost-16    	      27	  42676316 ns/op	    5246 B/op      10 allocs/op
BenchmarkPbkdf2-16               	      26	  45902236 ns/op	     804 B/op      10 allocs/op
PASS
ok  	github.com/coder/coder/coderd/userpassword	5.036s
```
This commit is contained in:
Colin Adler
2022-04-28 13:22:38 -05:00
committed by GitHub
parent e330dc1321
commit 1661588bd1
3 changed files with 137 additions and 24 deletions
Download Patch File Download Diff File Expand all files Collapse all files

70
coderd/userpassword/hashing_bench_test.go Normal file
View File

@ -0,0 +1,70 @@
package userpassword_test
import (
"crypto/sha256"
"testing"
"github.com/coder/coder/cryptorand"
"golang.org/x/crypto/bcrypt"
"golang.org/x/crypto/pbkdf2"
)
var (
salt = []byte(must(cryptorand.String(16)))
secret = []byte(must(cryptorand.String(24)))
resBcrypt []byte
resPbkdf2 []byte
)
func BenchmarkBcryptMinCost(b *testing.B) {
var r []byte
b.ReportAllocs()
for i := 0; i < b.N; i++ {
r, _ = bcrypt.GenerateFromPassword(secret, bcrypt.MinCost)
}
resBcrypt = r
}
func BenchmarkPbkdf2MinCost(b *testing.B) {
var r []byte
b.ReportAllocs()
for i := 0; i < b.N; i++ {
r = pbkdf2.Key(secret, salt, 1024, 64, sha256.New)
}
resPbkdf2 = r
}
func BenchmarkBcryptDefaultCost(b *testing.B) {
var r []byte
b.ReportAllocs()
for i := 0; i < b.N; i++ {
r, _ = bcrypt.GenerateFromPassword(secret, bcrypt.DefaultCost)
}
resBcrypt = r
}
func BenchmarkPbkdf2(b *testing.B) {
var r []byte
b.ReportAllocs()
for i := 0; i < b.N; i++ {
r = pbkdf2.Key(secret, salt, 65536, 64, sha256.New)
}
resPbkdf2 = r
}
func must(s string, err error) string {
if err != nil {
panic(err)
}
return s
}