mirror of
https://github.com/coder/coder.git
synced 2025-07-03 16:13:58 +00:00
1661588bd1
1. Adds benchmarks comparing bcrypt and our pbkdf2 settings 1. Changes the pbkdf2 hash iterations back to 65k. 1024 is insecure 1. Gets rid of the short circuit when the user isn't found, preventing timing attacks which can reveal which emails exist on a deployment ``` $ go test -bench . goos: linux goarch: amd64 pkg: github.com/coder/coder/coderd/userpassword cpu: Intel(R) Core(TM) i9-9900K CPU @ 3.60GHz BenchmarkBcryptMinCost-16 1651 702727 ns/op 5165 B/op 10 allocs/op BenchmarkPbkdf2MinCost-16 1669 714843 ns/op 804 B/op 10 allocs/op BenchmarkBcryptDefaultCost-16 27 42676316 ns/op 5246 B/op 10 allocs/op BenchmarkPbkdf2-16 26 45902236 ns/op 804 B/op 10 allocs/op PASS ok github.com/coder/coder/coderd/userpassword 5.036s ```
124 lines
3.4 KiB
Go
124 lines
3.4 KiB
Go
package userpassword
|
|
|
|
import (
|
|
"crypto/rand"
|
|
"crypto/sha256"
|
|
"crypto/subtle"
|
|
"encoding/base64"
|
|
"fmt"
|
|
"os"
|
|
"strconv"
|
|
"strings"
|
|
|
|
"golang.org/x/crypto/pbkdf2"
|
|
"golang.org/x/exp/slices"
|
|
"golang.org/x/xerrors"
|
|
)
|
|
|
|
var (
|
|
// The base64 encoder used when producing the string representation of
|
|
// hashes.
|
|
base64Encoding = base64.RawStdEncoding
|
|
|
|
// The number of iterations to use when generating the hash. This was chosen
|
|
// to make it about as fast as bcrypt hashes. Increasing this causes hashes
|
|
// to take longer to compute.
|
|
defaultHashIter = 65535
|
|
|
|
// This is the length of our output hash. bcrypt has a hash size of up to
|
|
// 60, so we rounded up to a power of 8.
|
|
hashLength = 64
|
|
|
|
// The scheme to include in our hashed password.
|
|
hashScheme = "pbkdf2-sha256"
|
|
|
|
// A salt size of 16 is the default in passlib. A minimum of 8 can be safely
|
|
// used.
|
|
defaultSaltSize = 16
|
|
|
|
// The simulated hash is used when trying to simulate password checks for
|
|
// users that don't exist.
|
|
simulatedHash, _ = Hash("hunter2")
|
|
)
|
|
|
|
// Make password hashing much faster in tests.
|
|
func init() {
|
|
args := os.Args[1:]
|
|
|
|
// Ensure this can never be enabled if running in server mode.
|
|
if slices.Contains(args, "server") {
|
|
return
|
|
}
|
|
|
|
for _, flag := range args {
|
|
if strings.HasPrefix(flag, "-test.") {
|
|
defaultHashIter = 1
|
|
return
|
|
}
|
|
}
|
|
}
|
|
|
|
// Compare checks the equality of passwords from a hashed pbkdf2 string. This
|
|
// uses pbkdf2 to ensure FIPS 140-2 compliance. See:
|
|
// https://csrc.nist.gov/csrc/media/templates/cryptographic-module-validation-program/documents/security-policies/140sp2261.pdf
|
|
func Compare(hashed string, password string) (bool, error) {
|
|
// If the hased password provided is empty, simulate comparing a real hash.
|
|
if hashed == "" {
|
|
hashed = simulatedHash
|
|
}
|
|
|
|
if len(hashed) < hashLength {
|
|
return false, xerrors.Errorf("hash too short: %d", len(hashed))
|
|
}
|
|
parts := strings.SplitN(hashed, "$", 5)
|
|
if len(parts) != 5 {
|
|
return false, xerrors.Errorf("hash has too many parts: %d", len(parts))
|
|
}
|
|
if len(parts[0]) != 0 {
|
|
return false, xerrors.Errorf("hash prefix is invalid")
|
|
}
|
|
if parts[1] != hashScheme {
|
|
return false, xerrors.Errorf("hash isn't %q scheme: %q", hashScheme, parts[1])
|
|
}
|
|
iter, err := strconv.Atoi(parts[2])
|
|
if err != nil {
|
|
return false, xerrors.Errorf("parse iter from hash: %w", err)
|
|
}
|
|
salt, err := base64Encoding.DecodeString(parts[3])
|
|
if err != nil {
|
|
return false, xerrors.Errorf("decode salt: %w", err)
|
|
}
|
|
|
|
if subtle.ConstantTimeCompare([]byte(hashWithSaltAndIter(password, salt, iter)), []byte(hashed)) != 1 {
|
|
return false, nil
|
|
}
|
|
|
|
return true, nil
|
|
}
|
|
|
|
// Hash generates a hash using pbkdf2.
|
|
// See the Compare() comment for rationale.
|
|
func Hash(password string) (string, error) {
|
|
salt := make([]byte, defaultSaltSize)
|
|
_, err := rand.Read(salt)
|
|
if err != nil {
|
|
return "", xerrors.Errorf("read random bytes for salt: %w", err)
|
|
}
|
|
|
|
return hashWithSaltAndIter(password, salt, defaultHashIter), nil
|
|
}
|
|
|
|
// Produces a string representation of the hash.
|
|
func hashWithSaltAndIter(password string, salt []byte, iter int) string {
|
|
var (
|
|
hash = pbkdf2.Key([]byte(password), salt, iter, hashLength, sha256.New)
|
|
encHash = make([]byte, base64Encoding.EncodedLen(len(hash)))
|
|
encSalt = make([]byte, base64Encoding.EncodedLen(len(salt)))
|
|
)
|
|
|
|
base64Encoding.Encode(encHash, hash)
|
|
base64Encoding.Encode(encSalt, salt)
|
|
|
|
return fmt.Sprintf("$%s$%d$%s$%s", hashScheme, iter, encSalt, encHash)
|
|
}
|