feat: improve bcrypt usability

* limit salt rounds to usable values * update bcrypt library to enable concurrent bcrypt hash calculation
2023-08-21 18:39:43 +03:00 · 2023-08-21 18:39:43 +03:00 · 90156befb5
parent 01c9095982
commit 90156befb5
4 changed files with 19 additions and 6 deletions
--- a/apps/emqx_authn/src/emqx_authn_password_hashing.erl
+++ b/apps/emqx_authn/src/emqx_authn_password_hashing.erl
@ -63,6 +63,9 @@
    check_password/4
 ]).

+-define(SALT_ROUNDS_MIN, 5).
+-define(SALT_ROUNDS_MAX, 10).
+
 namespace() -> "authn-hash".
 roots() -> [pbkdf2, bcrypt, bcrypt_rw, simple].

@ -71,11 +74,12 @@ fields(bcrypt_rw) ->
        [
            {salt_rounds,
                sc(
-                    integer(),
+                    range(?SALT_ROUNDS_MIN, ?SALT_ROUNDS_MAX),
                    #{
-                        default => 10,
-                        example => 10,
-                        desc => "Salt rounds for BCRYPT password generation."
+                        default => ?SALT_ROUNDS_MAX,
+                        example => ?SALT_ROUNDS_MAX,
+                        desc => "Work factor for BCRYPT password generation.",
+                        converter => fun salt_rounds_converter/2
                    }
                )}
        ];
@ -106,6 +110,13 @@ fields(simple) ->
        {salt_position, fun salt_position/1}
    ].

+salt_rounds_converter(undefined, _) ->
+    undefined;
+salt_rounds_converter(I, _) when is_integer(I) ->
+    emqx_utils:clamp(I, ?SALT_ROUNDS_MIN, ?SALT_ROUNDS_MAX);
+salt_rounds_converter(X, _) ->
+    X.
+
 desc(bcrypt_rw) ->
    "Settings for bcrypt password hashing algorithm (for DB backends with write capability).";
 desc(bcrypt) ->
--- a/changes/ce/feat-11487.en.md
+++ b/changes/ce/feat-11487.en.md
@ -0,0 +1,2 @@
+The bcrypt work factor is limited to the range 5-10, because higher values consume too much CPU resources.
+Bcrypt library is updated to allow parallel hash evaluation.
--- a/mix.exs
+++ b/mix.exs
@ -815,7 +815,7 @@ defmodule EMQXUmbrella.MixProject do

  defp bcrypt_dep() do
    if enable_bcrypt?(),
-      do: [{:bcrypt, github: "emqx/erlang-bcrypt", tag: "0.6.0", override: true}],
+      do: [{:bcrypt, github: "emqx/erlang-bcrypt", tag: "0.6.1", override: true}],
      else: []
  end

--- a/rebar.config.erl
+++ b/rebar.config.erl
@ -36,7 +36,7 @@ assert_otp() ->
    end.

 bcrypt() ->
-    {bcrypt, {git, "https://github.com/emqx/erlang-bcrypt.git", {tag, "0.6.0"}}}.
+    {bcrypt, {git, "https://github.com/emqx/erlang-bcrypt.git", {tag, "0.6.1"}}}.

 quicer() ->
    {quicer, {git, "https://github.com/emqx/quic.git", {tag, "0.0.114"}}}.