This is an automated email from the ASF dual-hosted git repository. vatamane pushed a commit to branch merge-3.4.3 in repository https://gitbox.apache.org/repos/asf/couchdb.git
commit 9cad268c59173f5e0a0e364f8378824d743ea6c2 Author: Robert Newson <[email protected]> AuthorDate: Mon Feb 10 11:02:12 2025 +0000 Add simple+pbkdf2 scheme Wrap a simple credential in pbkdf2 for extra protection. This protects "simple" stored credentials where the password is not likely to be presented. On successful authentication this credential is upgraded to the current configuration. --- src/couch/include/couch_js_functions.hrl | 2 +- src/couch/src/couch_httpd_auth.erl | 43 +++++++++++++++++++++++++++++++- 2 files changed, 43 insertions(+), 2 deletions(-) diff --git a/src/couch/include/couch_js_functions.hrl b/src/couch/include/couch_js_functions.hrl index 737b71c7f..cef2bcccb 100644 --- a/src/couch/include/couch_js_functions.hrl +++ b/src/couch/include/couch_js_functions.hrl @@ -64,7 +64,7 @@ }); } - var available_schemes = [\"simple\", \"pbkdf2\"]; + var available_schemes = [\"simple\", \"pbkdf2\", \"simple+pbkdf2\"]; if (newDoc.password_scheme && available_schemes.indexOf(newDoc.password_scheme) == -1) { throw({ diff --git a/src/couch/src/couch_httpd_auth.erl b/src/couch/src/couch_httpd_auth.erl index de8f106dd..4566157da 100644 --- a/src/couch/src/couch_httpd_auth.erl +++ b/src/couch/src/couch_httpd_auth.erl @@ -658,7 +658,10 @@ authenticate_int(Pass, UserSalt, UserProps) -> <<"simple">> -> authenticate_int_simple(Pass, UserSalt, UserProps); <<"pbkdf2">> -> - authenticate_int_pbkdf2(Pass, UserSalt, UserProps) + authenticate_int_pbkdf2(Pass, UserSalt, UserProps); + <<"simple+pbkdf2">> -> + LegacyHash = couch_passwords:simple(Pass, UserSalt), + authenticate_int_pbkdf2(LegacyHash, UserSalt, UserProps) end, couch_passwords:verify(PasswordHash, ExpectedHash). @@ -828,3 +831,41 @@ lockout_warning(#httpd{mochi_req = Req}, User) -> "~p: Authentication rejected for locked-out user ~s from ~s", [?MODULE, User, Peer] ). + +-ifdef(TEST). +-include_lib("couch/include/couch_eunit.hrl"). + +simple_pbkdf2_test() -> + Password = <<"0123456789">>, + Salt = couch_uuids:random(), + PasswordSha = couch_passwords:simple(Password, Salt), + ?assert( + authenticate_int( + Password, + Salt, + [ + {<<"password_scheme">>, <<"simple">>}, + {<<"salt">>, Salt}, + {<<"password_sha">>, PasswordSha} + ] + ) + ), + + Iterations = 5, + DerivedKey = couch_passwords:pbkdf2(sha256, PasswordSha, Salt, Iterations), + + ?assert( + authenticate_int( + Password, + Salt, + [ + {<<"password_scheme">>, <<"simple+pbkdf2">>}, + {<<"salt">>, Salt}, + {<<"pbkdf2_prf">>, <<"sha256">>}, + {<<"iterations">>, Iterations}, + {<<"derived_key">>, DerivedKey} + ] + ) + ). + +-endif.
