Add support for argon2 password hashing

2022-12-30 01:56:52 +00:00 · 2022-12-30 01:56:52 +00:00 · 3c4f8105df
parent 1121deb078
commit 3c4f8105df
7 changed files with 27 additions and 29 deletions
--- a/CHANGELOG.md
+++ b/CHANGELOG.md
@ -10,11 +10,13 @@ The format is based on [Keep a Changelog](https://keepachangelog.com/en/1.0.0/).
 - Prometheus metrics exporting from `/api/v1/akkoma/metrics`
 - Ability to alter http pool size
 - Translation of statuses via ArgosTranslate
+- Argon2 password hashing

 ### Removed
 - Non-finch HTTP adapters
 - Legacy redirect from /api/pleroma/admin to /api/v1/pleroma/admin
 - Legacy redirects from /api/pleroma to /api/v1/pleroma
+- :crypt dependency

 ### Changed
 - Return HTTP error 413 when uploading an avatar or banner that's above the configured upload limit instead of a 500.
--- a/lib/pleroma/user.ex
+++ b/lib/pleroma/user.ex
@ -2277,7 +2277,7 @@ defmodule Pleroma.User do
  defp put_password_hash(
         %Ecto.Changeset{valid?: true, changes: %{password: password}} = changeset
       ) do
-    change(changeset, password_hash: Pleroma.Password.Pbkdf2.hash_pwd_salt(password))
+    change(changeset, password_hash: Argon2.hash_pwd_salt(password))
  end

  defp put_password_hash(changeset), do: changeset
--- a/lib/pleroma/web/plugs/authentication_plug.ex
+++ b/lib/pleroma/web/plugs/authentication_plug.ex
@ -38,10 +38,6 @@ defmodule Pleroma.Web.Plugs.AuthenticationPlug do

  def call(conn, _), do: conn

-  def checkpw(password, "$6" <> _ = password_hash) do
-    :crypt.crypt(password, password_hash) == password_hash
-  end
-
  def checkpw(password, "$2" <> _ = password_hash) do
    # Handle bcrypt passwords for Mastodon migration
    Bcrypt.verify_pass(password, password_hash)
@ -51,6 +47,10 @@ defmodule Pleroma.Web.Plugs.AuthenticationPlug do
    Pleroma.Password.Pbkdf2.verify_pass(password, password_hash)
  end

+  def checkpw(password, "$argon2" <> _ = password_hash) do
+    Argon2.verify_pass(password, password_hash)
+  end
+
  def checkpw(_password, _password_hash) do
    Logger.error("Password hash not recognized")
    false
@ -64,6 +64,10 @@ defmodule Pleroma.Web.Plugs.AuthenticationPlug do
    do_update_password(user, password)
  end

+  def maybe_update_password(%User{password_hash: "$pbkdf2" <> _} = user, password) do
+    do_update_password(user, password)
+  end
+
  def maybe_update_password(user, _), do: {:ok, user}

  defp do_update_password(user, password) do
--- a/mix.exs
+++ b/mix.exs
@ -143,9 +143,7 @@ defmodule Pleroma.Mixfile do
      {:sweet_xml, "~> 0.7.2"},
      {:earmark, "~> 1.4.15"},
      {:bbcode_pleroma, "~> 0.2.0"},
-      {:crypt,
-       git: "https://github.com/msantos/crypt.git",
-       ref: "f75cd55325e33cbea198fb41fe41871392f8fb76"},
+      {:argon2_elixir, "~> 3.0.0"},
      {:cors_plug, "~> 2.0"},
      {:web_push_encryption, "~> 0.3.1"},
      {:swoosh, "~> 1.0"},
--- a/mix.lock
+++ b/mix.lock
@ -1,4 +1,5 @@
 %{
+  "argon2_elixir": {:hex, :argon2_elixir, "3.0.0", "fd4405f593e77b525a5c667282172dd32772d7c4fa58cdecdaae79d2713b6c5f", [:make, :mix], [{:comeonin, "~> 5.3", [hex: :comeonin, repo: "hexpm", optional: false]}, {:elixir_make, "~> 0.6", [hex: :elixir_make, repo: "hexpm", optional: false]}], "hexpm", "8b753b270af557d51ba13fcdebc0f0ab27a2a6792df72fd5a6cf9cfaffcedc57"},
  "base62": {:hex, :base62, "1.2.2", "85c6627eb609317b70f555294045895ffaaeb1758666ab9ef9ca38865b11e629", [:mix], [{:custom_base, "~> 0.2.1", [hex: :custom_base, repo: "hexpm", optional: false]}], "hexpm", "d41336bda8eaa5be197f1e4592400513ee60518e5b9f4dcf38f4b4dae6f377bb"},
  "bbcode_pleroma": {:hex, :bbcode_pleroma, "0.2.0", "d36f5bca6e2f62261c45be30fa9b92725c0655ad45c99025cb1c3e28e25803ef", [:mix], [{:nimble_parsec, "~> 0.5", [hex: :nimble_parsec, repo: "hexpm", optional: false]}], "hexpm", "19851074419a5fedb4ef49e1f01b30df504bb5dbb6d6adfc135238063bebd1c3"},
  "bcrypt_elixir": {:hex, :bcrypt_elixir, "2.3.1", "5114d780459a04f2b4aeef52307de23de961b69e13a5cd98a911e39fda13f420", [:make, :mix], [{:comeonin, "~> 5.3", [hex: :comeonin, repo: "hexpm", optional: false]}, {:elixir_make, "~> 0.6", [hex: :elixir_make, repo: "hexpm", optional: false]}], "hexpm", "42182d5f46764def15bf9af83739e3bf4ad22661b1c34fc3e88558efced07279"},
@ -18,7 +19,6 @@
  "cowboy_telemetry": {:hex, :cowboy_telemetry, "0.3.1", "ebd1a1d7aff97f27c66654e78ece187abdc646992714164380d8a041eda16754", [:rebar3], [{:cowboy, "~> 2.7", [hex: :cowboy, repo: "hexpm", optional: false]}, {:telemetry, "~> 0.4", [hex: :telemetry, repo: "hexpm", optional: false]}], "hexpm", "3a6efd3366130eab84ca372cbd4a7d3c3a97bdfcfb4911233b035d117063f0af"},
  "cowlib": {:hex, :cowlib, "2.11.0", "0b9ff9c346629256c42ebe1eeb769a83c6cb771a6ee5960bd110ab0b9b872063", [:make, :rebar3], [], "hexpm", "2b3e9da0b21c4565751a6d4901c20d1b4cc25cbb7fd50d91d2ab6dd287bc86a9"},
  "credo": {:git, "https://github.com/rrrene/credo.git", "1c1b99ea41a457761383d81aaf6a606913996fe7", [ref: "1c1b99ea41a457761383d81aaf6a606913996fe7"]},
-  "crypt": {:git, "https://github.com/msantos/crypt.git", "f75cd55325e33cbea198fb41fe41871392f8fb76", [ref: "f75cd55325e33cbea198fb41fe41871392f8fb76"]},
  "custom_base": {:hex, :custom_base, "0.2.1", "4a832a42ea0552299d81652aa0b1f775d462175293e99dfbe4d7dbaab785a706", [:mix], [], "hexpm", "8df019facc5ec9603e94f7270f1ac73ddf339f56ade76a721eaa57c1493ba463"},
  "db_connection": {:hex, :db_connection, "2.4.3", "3b9aac9f27347ec65b271847e6baeb4443d8474289bd18c1d6f4de655b70c94d", [:mix], [{:connection, "~> 1.0", [hex: :connection, repo: "hexpm", optional: false]}, {:telemetry, "~> 0.4 or ~> 1.0", [hex: :telemetry, repo: "hexpm", optional: false]}], "hexpm", "c127c15b0fa6cfb32eed07465e05da6c815b032508d4ed7c116122871df73c12"},
  "decimal": {:hex, :decimal, "2.0.0", "a78296e617b0f5dd4c6caf57c714431347912ffb1d0842e998e9792b5642d697", [:mix], [], "hexpm", "34666e9c55dea81013e77d9d87370fe6cb6291d1ef32f46a1600230b1d44f577"},
--- a/test/pleroma/web/plugs/authentication_plug_test.exs
+++ b/test/pleroma/web/plugs/authentication_plug_test.exs
@ -52,7 +52,7 @@ defmodule Pleroma.Web.Plugs.AuthenticationPlugTest do
    assert PlugHelper.plug_skipped?(conn, OAuthScopesPlug)
  end

-  test "with a bcrypt hash, it updates to a pkbdf2 hash", %{conn: conn} do
+  test "with a bcrypt hash, it updates to an argon2 hash", %{conn: conn} do
    user = insert(:user, password_hash: Bcrypt.hash_pwd_salt("123"))
    assert "$2" <> _ = user.password_hash

@ -67,21 +67,17 @@ defmodule Pleroma.Web.Plugs.AuthenticationPlugTest do
    assert PlugHelper.plug_skipped?(conn, OAuthScopesPlug)

    user = User.get_by_id(user.id)
-    assert "$pbkdf2" <> _ = user.password_hash
+    assert "$argon2" <> _ = user.password_hash
  end

-  @tag :skip_on_mac
-  test "with a crypt hash, it updates to a pkbdf2 hash", %{conn: conn} do
-    user =
-      insert(:user,
-        password_hash:
-          "$6$9psBWV8gxkGOZWBz$PmfCycChoxeJ3GgGzwvhlgacb9mUoZ.KUXNCssekER4SJ7bOK53uXrHNb2e4i8yPFgSKyzaW9CcmrDXWIEMtD1"
-      )
+  test "with a pbkdf2 hash, it updates to an argon2 hash", %{conn: conn} do
+    user = insert(:user, password_hash: Pleroma.Password.Pbkdf2.hash_pwd_salt("123"))
+    assert "$pbkdf2" <> _ = user.password_hash

    conn =
      conn
      |> assign(:auth_user, user)
-      |> assign(:auth_credentials, %{password: "password"})
+      |> assign(:auth_credentials, %{password: "123"})
      |> AuthenticationPlug.call(%{})

    assert conn.assigns.user.id == conn.assigns.auth_user.id
@ -89,7 +85,7 @@ defmodule Pleroma.Web.Plugs.AuthenticationPlugTest do
    assert PlugHelper.plug_skipped?(conn, OAuthScopesPlug)

    user = User.get_by_id(user.id)
-    assert "$pbkdf2" <> _ = user.password_hash
+    assert "$argon2" <> _ = user.password_hash
  end

  describe "checkpw/2" do
@ -101,14 +97,6 @@ defmodule Pleroma.Web.Plugs.AuthenticationPlugTest do
      refute AuthenticationPlug.checkpw("test-password1", hash)
    end

-    @tag :skip_on_mac
-    test "check sha512-crypt hash" do
-      hash =
-        "$6$9psBWV8gxkGOZWBz$PmfCycChoxeJ3GgGzwvhlgacb9mUoZ.KUXNCssekER4SJ7bOK53uXrHNb2e4i8yPFgSKyzaW9CcmrDXWIEMtD1"
-
-      assert AuthenticationPlug.checkpw("password", hash)
-    end
-
    test "check bcrypt hash" do
      hash = "$2a$10$uyhC/R/zoE1ndwwCtMusK.TLVzkQ/Ugsbqp3uXI.CTTz0gBw.24jS"

@ -116,6 +104,12 @@ defmodule Pleroma.Web.Plugs.AuthenticationPlugTest do
      refute AuthenticationPlug.checkpw("password1", hash)
    end

+    test "check argon2 hash" do
+      hash = "$argon2id$v=19$m=65536,t=8,p=2$zEMMsTuK5KkL5AFWbX7jyQ$VyaQD7PF6e9btz0oH1YiAkWwIGZ7WNDZP8l+a/O171g"
+      assert AuthenticationPlug.checkpw("password", hash)
+      refute AuthenticationPlug.checkpw("password1", hash)
+    end
+
    test "it returns false when hash invalid" do
      hash =
        "psBWV8gxkGOZWBz$PmfCycChoxeJ3GgGzwvhlgacb9mUoZ.KUXNCssekER4SJ7bOK53uXrHNb2e4i8yPFgSKyzaW9CcmrDXWIEMtD1"
--- a/test/support/factory.ex
+++ b/test/support/factory.ex
@ -52,7 +52,7 @@ defmodule Pleroma.Factory do
      name: sequence(:name, &"Test テスト User #{&1}"),
      email: sequence(:email, &"user#{&1}@example.com"),
      nickname: sequence(:nickname, &"nick#{&1}"),
-      password_hash: Pleroma.Password.Pbkdf2.hash_pwd_salt("test"),
+      password_hash: Argon2.hash_pwd_salt("test"),
      bio: sequence(:bio, &"Tester Number #{&1}"),
      is_discoverable: true,
      last_digest_emailed_at: NaiveDateTime.utc_now(),