From 6e3063b15aa88179fefcf6f75001224de68c5dd2 Mon Sep 17 00:00:00 2001 From: Francis Lavoie Date: Mon, 5 Sep 2022 15:32:58 -0400 Subject: caddyauth: Speed up basicauth provision, deprecate scrypt (#4720) * caddyauth: Speed up basicauth provisioning, precalculate fake password * Deprecate scrypt, allow using decoded bcrypt hashes * Add TODO note Co-authored-by: Matt Holt Co-authored-by: Matt Holt --- modules/caddyhttp/caddyauth/hashes.go | 21 ++++++++++++++++++++- 1 file changed, 20 insertions(+), 1 deletion(-) (limited to 'modules/caddyhttp/caddyauth/hashes.go') diff --git a/modules/caddyhttp/caddyauth/hashes.go b/modules/caddyhttp/caddyauth/hashes.go index 63bfe1b..6505d18 100644 --- a/modules/caddyhttp/caddyauth/hashes.go +++ b/modules/caddyhttp/caddyauth/hashes.go @@ -16,6 +16,7 @@ package caddyauth import ( "crypto/subtle" + "encoding/base64" "github.com/caddyserver/caddy/v2" "golang.org/x/crypto/bcrypt" @@ -55,7 +56,16 @@ func (BcryptHash) Hash(plaintext, _ []byte) ([]byte, error) { return bcrypt.GenerateFromPassword(plaintext, 14) } +// FakeHash returns a fake hash. +func (BcryptHash) FakeHash() []byte { + // hashed with the following command: + // caddy hash-password --plaintext "antitiming" --algorithm "bcrypt" + return []byte("$2a$14$X3ulqf/iGxnf1k6oMZ.RZeJUoqI9PX2PM4rS5lkIKJXduLGXGPrt6") +} + // ScryptHash implements the scrypt KDF as a hash. +// +// DEPRECATED, please use 'bcrypt' instead. type ScryptHash struct { // scrypt's N parameter. If unset or 0, a safe default is used. N int `json:"N,omitempty"` @@ -80,8 +90,9 @@ func (ScryptHash) CaddyModule() caddy.ModuleInfo { } // Provision sets up s. -func (s *ScryptHash) Provision(_ caddy.Context) error { +func (s *ScryptHash) Provision(ctx caddy.Context) error { s.SetDefaults() + ctx.Logger(s).Warn("use of 'scrypt' is deprecated, please use 'bcrypt' instead") return nil } @@ -123,6 +134,14 @@ func (s ScryptHash) Hash(plaintext, salt []byte) ([]byte, error) { return scrypt.Key(plaintext, salt, s.N, s.R, s.P, s.KeyLength) } +// FakeHash returns a fake hash. +func (ScryptHash) FakeHash() []byte { + // hashed with the following command: + // caddy hash-password --plaintext "antitiming" --salt "fakesalt" --algorithm "scrypt" + bytes, _ := base64.StdEncoding.DecodeString("kFbjiVemlwK/ZS0tS6/UQqEDeaNMigyCs48KEsGUse8=") + return bytes +} + func hashesMatch(pwdHash1, pwdHash2 []byte) bool { return subtle.ConstantTimeCompare(pwdHash1, pwdHash2) == 1 } -- cgit v1.2.3