fix: fix pbkdf2 hash_password timeout problem

Signed-off-by: Phoeniix Zhao <[email protected]>
xline-kv · Mar 23, 2024 · c9bfacd · c9bfacd
1 parent 10e9f46
commit c9bfacd
Show file tree

Hide file tree

Showing 3 changed files with 16 additions and 6 deletions.
diff --git a/crates/utils/benches/interval_map.rs b/crates/utils/benches/interval_map.rs
@@ -7,7 +7,6 @@ extern crate utils;
 use std::hint::black_box;
 
 use test::Bencher;
-
 use utils::interval_map::{Interval, IntervalMap};
 
 struct Rng {

diff --git a/crates/xline-client/src/clients/auth.rs b/crates/xline-client/src/clients/auth.rs
@@ -2,7 +2,7 @@ use std::{fmt::Debug, sync::Arc};
 
 use pbkdf2::{
     password_hash::{rand_core::OsRng, PasswordHasher, SaltString},
-    Pbkdf2,
+    Params, Pbkdf2,
 };
 use tonic::transport::Channel;
 use xlineapi::{
@@ -743,9 +743,14 @@ impl AuthClient {
     /// Generate hash of the password
     fn hash_password(password: &[u8]) -> String {
         let salt = SaltString::generate(&mut OsRng);
-        #[allow(clippy::panic)] // This doesn't seems to be fallible
+        let simple_para = Params {
+            // The recommended rounds is 600,000 or more
+            // [OWASP cheat sheet]: https://cheatsheetseries.owasp.org/cheatsheets/Password_Storage_Cheat_Sheet.html
+            rounds: 10000,
+            output_length: 32,
+        };
         let hashed_password = Pbkdf2
-            .hash_password(password, &salt)
+            .hash_password_customized(password, None, None, simple_para, &salt)
             .unwrap_or_else(|e| panic!("Failed to hash password: {e}"));
         hashed_password.to_string()
     }

diff --git a/crates/xline/src/server/auth_server.rs b/crates/xline/src/server/auth_server.rs
@@ -2,7 +2,7 @@ use std::sync::Arc;
 
 use pbkdf2::{
     password_hash::{rand_core::OsRng, PasswordHasher, SaltString},
-    Pbkdf2,
+    Params, Pbkdf2,
 };
 use tonic::metadata::MetadataMap;
 use tracing::debug;
@@ -75,8 +75,14 @@ where
     /// Hash password
     fn hash_password(password: &[u8]) -> String {
         let salt = SaltString::generate(&mut OsRng);
+        let simple_para = Params {
+            // The recommended rounds is 600,000 or more
+            // [OWASP cheat sheet]: https://cheatsheetseries.owasp.org/cheatsheets/Password_Storage_Cheat_Sheet.html
+            rounds: 10000,
+            output_length: 32,
+        };
         let hashed_password = Pbkdf2
-            .hash_password(password, &salt)
+            .hash_password_customized(password, None, None, simple_para, &salt)
             .unwrap_or_else(|e| panic!("Failed to hash password: {e}"));
         hashed_password.to_string()
     }