yuanbiao
/
emqx
1
0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

feat: improve bcrypt usability 

* limit salt rounds to usable values
* update bcrypt library to enable concurrent bcrypt hash calculation
This commit is contained in:
Ilya Averyanov 2023-08-21 18:39:43 +03:00
parent 01c9095982
commit 90156befb5
4 changed files with 19 additions and 6 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

19
apps/emqx_authn/src/emqx_authn_password_hashing.erl
View File

@ -63,6 +63,9 @@
check_password/4 check_password/4
]). ]).
-define(SALT_ROUNDS_MIN, 5).
-define(SALT_ROUNDS_MAX, 10).
namespace() -> "authn-hash". namespace() -> "authn-hash".
roots() -> [pbkdf2, bcrypt, bcrypt_rw, simple]. roots() -> [pbkdf2, bcrypt, bcrypt_rw, simple].
@ -71,11 +74,12 @@ fields(bcrypt_rw) ->
[ [
{salt_rounds, {salt_rounds,
sc( sc(
integer(), range(?SALT_ROUNDS_MIN, ?SALT_ROUNDS_MAX),
#{ #{
default => 10, default => ?SALT_ROUNDS_MAX,
example => 10, example => ?SALT_ROUNDS_MAX,
desc => "Salt rounds for BCRYPT password generation." desc => "Work factor for BCRYPT password generation.",
converter => fun salt_rounds_converter/2
} }
)} )}
]; ];
@ -106,6 +110,13 @@ fields(simple) ->
{salt_position, fun salt_position/1} {salt_position, fun salt_position/1}
]. ].
salt_rounds_converter(undefined, _) ->
undefined;
salt_rounds_converter(I, _) when is_integer(I) ->
emqx_utils:clamp(I, ?SALT_ROUNDS_MIN, ?SALT_ROUNDS_MAX);
salt_rounds_converter(X, _) ->
X.
desc(bcrypt_rw) -> desc(bcrypt_rw) ->
"Settings for bcrypt password hashing algorithm (for DB backends with write capability)."; "Settings for bcrypt password hashing algorithm (for DB backends with write capability).";
desc(bcrypt) -> desc(bcrypt) ->

2
changes/ce/feat-11487.en.md Normal file
View File

@ -0,0 +1,2 @@
The bcrypt work factor is limited to the range 5-10, because higher values consume too much CPU resources.
Bcrypt library is updated to allow parallel hash evaluation.

2
mix.exs
View File

@ -815,7 +815,7 @@ defmodule EMQXUmbrella.MixProject do
defp bcrypt_dep() do defp bcrypt_dep() do
if enable_bcrypt?(), if enable_bcrypt?(),
do: [{:bcrypt, github: "emqx/erlang-bcrypt", tag: "0.6.0", override: true}], do: [{:bcrypt, github: "emqx/erlang-bcrypt", tag: "0.6.1", override: true}],
else: [] else: []
end end

2
rebar.config.erl
View File

@ -36,7 +36,7 @@ assert_otp() ->
end. end.
bcrypt() -> bcrypt() ->
{bcrypt, {git, "https://github.com/emqx/erlang-bcrypt.git", {tag, "0.6.0"}}}. {bcrypt, {git, "https://github.com/emqx/erlang-bcrypt.git", {tag, "0.6.1"}}}.
quicer() -> quicer() ->
{quicer, {git, "https://github.com/emqx/quic.git", {tag, "0.0.114"}}}. {quicer, {git, "https://github.com/emqx/quic.git", {tag, "0.0.114"}}}.