chore(deps): bump pbkdf2 from 0.11.0 to 0.12.2

crates/curp/src/client/stream.rs

@@ -3,9 +3,8 @@ use std::{sync::Arc, time::Duration};
 use futures::Future;
 use tracing::{debug, warn};
 
-use crate::rpc::{connect::ConnectApi, CurpError, Redirect};
-
 use super::state::State;
+use crate::rpc::{connect::ConnectApi, CurpError, Redirect};
 
 /// Stream client config
 #[derive(Debug)]

crates/utils/Cargo.toml

@@ -26,6 +26,7 @@ getset = "0.1"
 opentelemetry = { version = "0.21.0", features = ["trace"] }
 opentelemetry_sdk = { version = "0.21.0", features = ["trace"] }
 parking_lot = { version = "0.12.1", optional = true }
+pbkdf2 = { version = "0.12.2", features = ["simple"] }
 petgraph = "0.6.4"
 rand = "0.8.5"
 serde = { version = "1.0.137", features = ["derive"] }

crates/utils/benches/interval_map.rs

@@ -7,7 +7,6 @@ extern crate utils;
 use std::hint::black_box;
 
 use test::Bencher;
-
 use utils::interval_map::{Interval, IntervalMap};
 
 struct Rng {

crates/utils/src/lib.rs

@@ -202,6 +202,10 @@ pub mod tracing;
 
 use ::tracing::debug;
 pub use parser::*;
+use pbkdf2::{
+    password_hash::{rand_core::OsRng, PasswordHasher, SaltString},
+    Params, Pbkdf2,
+};
 
 /// display all elements for the given vector
 #[macro_export]
@@ -270,3 +274,22 @@ pub fn build_endpoint(
     };
     Ok(endpoint)
 }
+
+/// Hash password
+///
+/// # Errors
+///
+/// return `Error` when hash password failed
+#[inline]
+pub fn hash_password(password: &[u8]) -> Result<String, pbkdf2::password_hash::errors::Error> {
+    let salt = SaltString::generate(&mut OsRng);
+    let simple_para = Params {
+        // The recommended rounds is 600,000 or more
+        // [OWASP cheat sheet]: https://cheatsheetseries.owasp.org/cheatsheets/Password_Storage_Cheat_Sheet.html
+        rounds: 200_000,
+        output_length: 32,
+    };
+    let hashed_password =
+        Pbkdf2.hash_password_customized(password, None, None, simple_para, &salt)?;
+    Ok(hashed_password.to_string())
+}

crates/xline-client/Cargo.toml

@@ -17,7 +17,6 @@ curp = { path = "../curp" }
 futures = "0.3.25"
 getrandom = "0.2"
 http = "0.2.9"
-pbkdf2 = { version = "0.11.0", features = ["std"] }
 thiserror = "1.0.37"
 tokio = { version = "0.2.23", package = "madsim-tokio", features = ["sync"] }
 tonic = { version = "0.4.1", package = "madsim-tonic" }

crates/xline-client/src/clients/auth.rs

@@ -1,10 +1,7 @@
 use std::{fmt::Debug, sync::Arc};
 
-use pbkdf2::{
-    password_hash::{rand_core::OsRng, PasswordHasher, SaltString},
-    Pbkdf2,
-};
 use tonic::transport::Channel;
+use utils::hash_password;
 use xlineapi::{
     command::Command, AuthDisableResponse, AuthEnableResponse, AuthRoleAddResponse,
     AuthRoleDeleteResponse, AuthRoleGetResponse, AuthRoleGrantPermissionResponse,
@@ -246,7 +243,9 @@ impl AuthClient {
                 "password is required but not provided",
             )));
         }
-        let hashed_password = Self::hash_password(request.inner.password.as_bytes());
+        let hashed_password = hash_password(request.inner.password.as_bytes()).map_err(|err| {
+            XlineClientError::InternalError(format!("Failed to hash password: {err}"))
+        })?;
         request.inner.hashed_password = hashed_password;
         request.inner.password = String::new();
         self.handle_req(request.inner, false).await
@@ -401,7 +400,9 @@ impl AuthClient {
                 "role name is empty",
             )));
         }
-        let hashed_password = Self::hash_password(request.inner.password.as_bytes());
+        let hashed_password = hash_password(request.inner.password.as_bytes()).map_err(|err| {
+            XlineClientError::InternalError(format!("Failed to hash password: {err}"))
+        })?;
         request.inner.hashed_password = hashed_password;
         request.inner.password = String::new();
         self.handle_req(request.inner, false).await
@@ -739,14 +740,4 @@ impl AuthClient {
 
         Ok(res_wrapper.into())
     }
-
-    /// Generate hash of the password
-    fn hash_password(password: &[u8]) -> String {
-        let salt = SaltString::generate(&mut OsRng);
-        #[allow(clippy::panic)] // This doesn't seems to be fallible
-        let hashed_password = Pbkdf2
-            .hash_password(password, salt.as_ref())
-            .unwrap_or_else(|e| panic!("Failed to hash password: {e}"));
-        hashed_password.to_string()
-    }
 }

crates/xline/Cargo.toml

@@ -46,7 +46,7 @@ opentelemetry-otlp = { version = "0.14.0", features = [
 opentelemetry-prometheus = { version = "0.14.1" }
 opentelemetry_sdk = { version = "0.21.0", features = ["metrics", "rt-tokio"] }
 parking_lot = "0.12.0"
-pbkdf2 = { version = "0.11.0", features = ["std"] }
+pbkdf2 = { version = "0.12.2", features = ["simple"] }
 priority-queue = "1.3.0"
 prometheus = "0.13.3"
 prost = "0.12.3"

crates/xline/src/server/auth_server.rs

@@ -1,11 +1,8 @@
 use std::sync::Arc;
 
-use pbkdf2::{
-    password_hash::{rand_core::OsRng, PasswordHasher, SaltString},
-    Pbkdf2,
-};
 use tonic::metadata::MetadataMap;
 use tracing::debug;
+use utils::hash_password;
 use xlineapi::{
     command::{Command, CommandResponse, CurpClient, SyncResponse},
     request_validation::RequestValidator,
@@ -72,15 +69,6 @@ where
         Ok(res)
     }
 
-    /// Hash password
-    fn hash_password(password: &[u8]) -> String {
-        let salt = SaltString::generate(&mut OsRng);
-        let hashed_password = Pbkdf2
-            .hash_password(password, salt.as_ref())
-            .unwrap_or_else(|e| panic!("Failed to hash password: {e}"));
-        hashed_password.to_string()
-    }
-
     /// Propose request and make a response
     async fn handle_req<Req, Res>(
         &self,
@@ -145,7 +133,8 @@ where
         let user_add_req = request.get_mut();
         debug!("Receive AuthUserAddRequest {}", user_add_req);
         user_add_req.validation()?;
-        let hashed_password = Self::hash_password(user_add_req.password.as_bytes());
+        let hashed_password = hash_password(user_add_req.password.as_bytes())
+            .map_err(|err| tonic::Status::internal(format!("Failed to hash password: {err}")))?;
         user_add_req.hashed_password = hashed_password;
         user_add_req.password = String::new();
         self.handle_req(request, false).await
@@ -183,7 +172,8 @@ where
     ) -> Result<tonic::Response<AuthUserChangePasswordResponse>, tonic::Status> {
         debug!("Receive AuthUserChangePasswordRequest {:?}", request);
         let user_change_password_req = request.get_mut();
-        let hashed_password = Self::hash_password(user_change_password_req.password.as_bytes());
+        let hashed_password = hash_password(user_change_password_req.password.as_bytes())
+            .map_err(|err| tonic::Status::internal(format!("Failed to hash password: {err}")))?;
         user_change_password_req.hashed_password = hashed_password;
         user_change_password_req.password = String::new();
         self.handle_req(request, false).await

workspace-hack/Cargo.toml

@@ -17,6 +17,7 @@ axum = { version = "0.6" }
 bitflags = { version = "2", default-features = false, features = ["std"] }
 bytes = { version = "1" }
 clap = { version = "4", features = ["derive"] }
+crypto-common = { version = "0.1", default-features = false, features = ["std"] }
 digest = { version = "0.10", features = ["mac", "std"] }
 either = { version = "1" }
 futures-channel = { version = "0.3", features = ["sink"] }
@@ -35,6 +36,7 @@ petgraph = { version = "0.6" }
 rand = { version = "0.8", features = ["small_rng"] }
 serde = { version = "1", features = ["derive", "rc"] }
 serde_json = { version = "1", features = ["raw_value"] }
+sha2 = { version = "0.10" }
 time = { version = "0.3", features = ["formatting", "macros", "parsing"] }
 tokio = { version = "1", features = ["fs", "io-std", "io-util", "macros", "net", "rt-multi-thread", "signal", "sync", "time"] }
 tokio-util = { version = "0.7", features = ["codec", "io"] }