Limit ArgoCD password seed to the max length bcrypt allows #137

bastjan · 2023-11-14T17:24:44Z

By design, bcrypt only uses the first 72 bytes of a password when
generating a hash. Most implementations, including the reference one,
simply silently ignore any trailing input when provided passwords longer
than 72 bytes. This can cause confusion for users who expect the entire
password to be used to generate the hash.

https://cs.opensource.google/go/x/crypto/+/bc7d1d1eb54b3530da4f5ec31625c95d7df40231

Checklist

Keep pull requests small so they can be easily reviewed.
Update the documentation.
Categorize the PR by setting a good title and adding one of the labels:
bug, enhancement, documentation, change, breaking, dependency
as they show up in the changelog

simu

Please test this thoroughly, we currently use the base64-encoded Lieutenant JWT which is definitely longer than 72 characters as the password, cf.

steward/pkg/agent/agent.go

Line 99 in bdceddc

    
           if err := argocd.CreateArgoSecret(ctx, config, a.Namespace, a.Token); err != nil {

I'm not sure if we assume that the password will be the full JWT elsewhere.

bastjan · 2023-11-15T08:19:08Z

I'm not sure if we assume that the password will be the full JWT elsewhere.

The remainder of the password was always ignored:

`go.mod`

require (
	golang.org/x/crypto v0.15.0
	local.dev/oldcrypto v0.0.0-00010101000000-000000000000
)

replace local.dev/oldcrypto => golang.org/x/crypto v0.0.0-20220525230936-793ad666bf5e

`bcrypt_test.go`

package testbcrypt_test

import (
	"strings"
	"testing"

	"github.com/stretchr/testify/require"
	"golang.org/x/crypto/bcrypt"
	old "local.dev/oldcrypto/bcrypt"
)

func TestBcrypt(t *testing.T) {
	pw := strings.Repeat("a", 100)
	shortPw := strings.Repeat("a", 72)

	oldEnc, err := old.GenerateFromPassword([]byte(pw), old.DefaultCost)
	require.NoError(t, err)

	enc, err := bcrypt.GenerateFromPassword([]byte(shortPw), bcrypt.DefaultCost)
	require.NoError(t, err)

	require.NoError(t, old.CompareHashAndPassword(enc, []byte(shortPw)))
	require.NoError(t, old.CompareHashAndPassword(enc, []byte(pw)))
	require.NoError(t, old.CompareHashAndPassword(oldEnc, []byte(shortPw)))
	require.NoError(t, old.CompareHashAndPassword(oldEnc, []byte(pw)))
	require.NoError(t, bcrypt.CompareHashAndPassword(enc, []byte(shortPw)))
	require.NoError(t, bcrypt.CompareHashAndPassword(enc, []byte(pw)))
	require.NoError(t, bcrypt.CompareHashAndPassword(oldEnc, []byte(shortPw)))
	require.NoError(t, bcrypt.CompareHashAndPassword(oldEnc, []byte(pw)))
}

bastjan added the bug Something isn't working label Nov 14, 2023

bastjan requested a review from a team November 14, 2023 17:24

DebakelOrakel approved these changes Nov 14, 2023

View reviewed changes

Limit ArgoCD password seed to the max length bcrypt allows

1eef39d

bastjan force-pushed the fix-pw-too-long-error branch from 146659b to 1eef39d Compare November 15, 2023 07:47

bastjan merged commit 6ef601b into master Nov 15, 2023
3 checks passed

bastjan deleted the fix-pw-too-long-error branch November 15, 2023 07:56

simu reviewed Nov 15, 2023

View reviewed changes

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

Limit ArgoCD password seed to the max length bcrypt allows #137

Limit ArgoCD password seed to the max length bcrypt allows #137

bastjan commented Nov 14, 2023 •

edited

Loading

simu left a comment •

edited

Loading

bastjan commented Nov 15, 2023

Limit ArgoCD password seed to the max length bcrypt allows #137

Limit ArgoCD password seed to the max length bcrypt allows #137

Conversation

bastjan commented Nov 14, 2023 • edited Loading

Checklist

simu left a comment • edited Loading

Choose a reason for hiding this comment

bastjan commented Nov 15, 2023

go.mod

bcrypt_test.go

bastjan commented Nov 14, 2023 •

edited

Loading

simu left a comment •

edited

Loading

`go.mod`

`bcrypt_test.go`