Skip to content
Merged
Show file tree
Hide file tree
Changes from all commits
Commits
File filter

Filter by extension

Filter by extension


Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
23 changes: 12 additions & 11 deletions Cargo.lock

Some generated files are not rendered by default. Learn more about how customized files appear on GitHub.

2 changes: 1 addition & 1 deletion crates/core/Cargo.toml
Original file line number Diff line number Diff line change
Expand Up @@ -50,7 +50,7 @@ validator.workspace = true
# pbkdf2 crate removed: PBKDF2-HMAC-SHA512 is implemented directly in
# password_hashing.rs using the workspace hmac/sha2 to avoid a
# digest v0.10 vs v0.11 version conflict (pbkdf2 v0.12 uses sha2 v0.10).
scrypt = "0.11"
scrypt = "0.12"
subtle = "2.6.1"

[dev-dependencies]
Expand Down
14 changes: 11 additions & 3 deletions crates/core/src/api_key/crypto.rs
Original file line number Diff line number Diff line change
Expand Up @@ -12,9 +12,10 @@
//
// SPDX-License-Identifier: Apache-2.0
//! # API Key Argon2id hashing & verification (ADR 0021 §3 Step 3, §6.B).
use argon2::password_hash::rand_core::OsRng;
use argon2::password_hash::{PasswordHash, PasswordHasher, PasswordVerifier, SaltString};
use argon2::{Algorithm, Argon2, Params, Version};
use base64::{Engine as _, engine::general_purpose::STANDARD_NO_PAD};
use rand::RngExt;

use openstack_keystone_config::ApiKeyProvider;

Expand All @@ -25,6 +26,12 @@ use crate::api_key::ApiKeyProviderError;
/// 7). Deliberately not derived from any request data.
const DUMMY_ENTROPY: &str = "keystone-api-key-dummy-entropy-constant-time-padding";

fn _generate_salt() -> String {
let mut bytes = [0u8; 16];
rand::rng().fill(&mut bytes);
STANDARD_NO_PAD.encode(bytes)
}

fn build_params(config: &ApiKeyProvider) -> Result<Params, ApiKeyProviderError> {
Params::new(
config.argon2_memory_kib,
Expand All @@ -46,10 +53,11 @@ pub async fn hash_secret(
tokio::task::spawn_blocking(move || {
let params = build_params(&config)?;
let argon2 = Argon2::new(Algorithm::Argon2id, Version::V0x13, params);
let salt = SaltString::generate(&mut OsRng);
let salt =
SaltString::from_b64(_generate_salt().as_str()).map_err(ApiKeyProviderError::crypto)?;
argon2
.hash_password(entropy.as_bytes(), &salt)
.map(|hash| hash.to_string())
.map(|h| h.to_string())
.map_err(ApiKeyProviderError::crypto)
})
.await
Expand Down
6 changes: 3 additions & 3 deletions crates/core/src/common/password_hashing/scrypt.rs
Original file line number Diff line number Diff line change
Expand Up @@ -34,8 +34,8 @@ impl PasswordHasher for ScryptHasher {
let password_bytes = password.to_vec();
let hash = task::spawn_blocking(move || {
let salt = generate_salt();
// Params::new(log_n, r, p, output_len): ln=16 means n=2^16=65536.
let params = ::scrypt::Params::new(16, 8, 1, 32)
// Params::new(log_n, r, p): ln=16 means n=2^16=65536.
let params = ::scrypt::Params::new(16, 8, 1)
.map_err(|e| PasswordHashError::CryptoHash(e.to_string()))?;
let mut digest = vec![0u8; 32];
::scrypt::scrypt(&password_bytes, &salt, &params, &mut digest)
Expand Down Expand Up @@ -99,7 +99,7 @@ impl PasswordHasher for ScryptHasher {
.decode(digest_b64.replace('.', "+").as_bytes())
.map_err(|_| PasswordHashError::CryptoHash("Invalid scrypt digest".into()))?;

let params = ::scrypt::Params::new(ln, r, p, expected.len())
let params = ::scrypt::Params::new(ln, r, p)
.map_err(|e| PasswordHashError::CryptoHash(e.to_string()))?;
let mut computed = vec![0u8; expected.len()];
::scrypt::scrypt(&password_bytes, &salt, &params, &mut computed)
Expand Down
2 changes: 1 addition & 1 deletion crates/core/src/credential/ec2_signature.rs
Original file line number Diff line number Diff line change
Expand Up @@ -24,7 +24,7 @@
use base64::{Engine as _, engine::general_purpose::STANDARD as BASE64};
use chrono::{DateTime, NaiveDateTime, TimeZone, Utc};
use hmac::{Hmac, KeyInit, Mac};
use sha1::{Digest as _, Sha1};
use sha1::Sha1;
use sha2::{Digest, Sha256};
use subtle::ConstantTimeEq;

Expand Down
Loading