Updated PBKDF2 hasher with more complex format handling #319
Conversation
|
Hey, @loffa! I haven't reviewed your code yet, but I'm a bit hesitant on upgrading to Go 1.21 at the moment as I think that'd merit a major version bump. Just as an example, although Go is almost non existent within my team at work, we have a small service I wrote that was limited to Go 1.19 because of the client's restrictions. I can see people facing something similar at their work places. So, if you don't mind, I'd prefer to stick to 1.18 for the time being. I'm working on improving the caching system (see #310) and I want to completely redo the whole options mechanism, aka |
|
Hey, |
![github-advanced-security[bot]](https://avatars.githubusercontent.com/in/57789?s=60&v=4){kind=small}
|
Sorry for the delay, @loffa. If you agree, I'll merge. |
|
I agree! I can not see why it would be a security risk to log the hash-format or keys that can't be read in the hash text when they are unsupported either way. |
This change adds compatibility with the hash-format used in Chirpstack 4.
Since Chirpstack 4 is rewritten in Rust the format for storing passwords has changed a bit. The new format now follows the specification PHC-String-Format.
The changes in this PR identifies if the new or old format is used in the supplied hash and then extracts parameters from that. Comparison is done only on the password part of the hash since that is equal between both old and new structure.
An update to Go 1.21 was needed to utilize the new built in slices package for comparison. This could be removed and rewritten for the older go version as well if preferred.