WT-13041: increase BCrypt iteration in examples

Increase the number of iteration done in BCryptHashFunction in the examples from 7 to 12. This is now above the minimum of 10 iteration recommanded by ASVS.
emweb · Nov 5, 2024 · d2ed29f · d2ed29f
1 parent fadc846
commit d2ed29f
Show file tree

Hide file tree

Showing 9 changed files with 26 additions and 22 deletions.
diff --git a/examples/blog/model/BlogSession.C b/examples/blog/model/BlogSession.C
@@ -84,7 +84,7 @@ void BlogSession::configureAuth()
 
   std::unique_ptr<Wt::Auth::PasswordVerifier> verifier
       = std::make_unique<Wt::Auth::PasswordVerifier>();
-  verifier->addHashFunction(std::make_unique<Wt::Auth::BCryptHashFunction>(7));
+  verifier->addHashFunction(std::make_unique<Wt::Auth::BCryptHashFunction>(12));
 #ifdef WT_WITH_SSL
   verifier->addHashFunction(std::make_unique<Wt::Auth::SHA1HashFunction>());
 #endif

diff --git a/examples/feature/auth1/model/Session.C b/examples/feature/auth1/model/Session.C
@@ -34,7 +34,7 @@ void Session::configureAuth()
   myAuthService.setEmailVerificationRequired(true);
 
   auto verifier = std::make_unique<Auth::PasswordVerifier>();
-  verifier->addHashFunction(std::make_unique<Auth::BCryptHashFunction>(7));
+  verifier->addHashFunction(std::make_unique<Auth::BCryptHashFunction>(12));
   myPasswordService.setVerifier(std::move(verifier));
   myPasswordService.setPasswordThrottle(std::make_unique<Wt::Auth::AuthThrottle>());
   myPasswordService.setStrengthValidator(

diff --git a/examples/feature/auth2/model/Session.C b/examples/feature/auth2/model/Session.C
@@ -32,7 +32,7 @@ void Session::configureAuth()
   myAuthService.setEmailVerificationEnabled(true);
 
   auto verifier = std::make_unique<Auth::PasswordVerifier>();
-  verifier->addHashFunction(std::make_unique<Auth::BCryptHashFunction>(7));
+  verifier->addHashFunction(std::make_unique<Auth::BCryptHashFunction>(12));
   myPasswordService.setVerifier(std::move(verifier));
   myPasswordService.setPasswordThrottle(std::make_unique<Wt::Auth::AuthThrottle>());
   myPasswordService.setStrengthValidator

diff --git a/examples/feature/oidc/model/OidcUserDatabase.C b/examples/feature/oidc/model/OidcUserDatabase.C
@@ -161,7 +161,7 @@ std::string OidcUserDatabase::idpClientSecret(const Wt::Auth::OAuthClient& clien
 bool OidcUserDatabase::idpVerifySecret(const Wt::Auth::OAuthClient& client,
                                        const std::string& secret) const
 {
-  return Wt::Auth::BCryptHashFunction(7).verify(secret,
+  return Wt::Auth::BCryptHashFunction(12).verify(secret,
                                                 "",
                                                 idpClientSecret(client));
 }
@@ -288,7 +288,7 @@ Wt::Auth::OAuthClient OidcUserDatabase::idpClientAdd(const std::string &clientId
   }
   client->redirectUris = uris;
   client->authMethod = authMethod;
-  client->secret = Wt::Auth::BCryptHashFunction(7)
+  client->secret = Wt::Auth::BCryptHashFunction(12)
     .compute(secret,
              Wt::WRandom::generateId());
   Wt::Dbo::ptr<OAuthClient> client_ = session_.add(std::move(client));

diff --git a/examples/feature/saml/model/Session.C b/examples/feature/saml/model/Session.C
@@ -37,7 +37,7 @@ void Session::configureAuth()
 
   std::unique_ptr<Auth::PasswordVerifier> verifier
     = std::make_unique<Auth::PasswordVerifier>();
-  verifier->addHashFunction(std::make_unique<Auth::BCryptHashFunction>(7));
+  verifier->addHashFunction(std::make_unique<Auth::BCryptHashFunction>(12));
   myPasswordService.setVerifier(std::move(verifier));
   myPasswordService.setPasswordThrottle(std::make_unique<Wt::Auth::AuthThrottle>());
   myPasswordService.setStrengthValidator(std::make_unique<Auth::PasswordStrengthValidator>());

diff --git a/examples/hangman/Session.C b/examples/hangman/Session.C
@@ -68,7 +68,7 @@ void Session::configureAuth()
   myAuthService.setEmailVerificationEnabled(true);
 
   auto verifier = std::make_unique<Auth::PasswordVerifier>();
-  verifier->addHashFunction(std::make_unique<Auth::BCryptHashFunction>(7));
+  verifier->addHashFunction(std::make_unique<Auth::BCryptHashFunction>(12));
 
 #ifdef HAVE_CRYPT
   // We want to still support users registered in the pre - Wt::Auth

diff --git a/examples/qrlogin/model/Session.C b/examples/qrlogin/model/Session.C
@@ -42,7 +42,7 @@ void Session::configureAuth()
   myAuthService.setAuthTokensEnabled(true, "logincookie");
 
   auto verifier = std::make_unique<Auth::PasswordVerifier>();
-  verifier->addHashFunction(std::make_unique<Auth::BCryptHashFunction>(7));
+  verifier->addHashFunction(std::make_unique<Auth::BCryptHashFunction>(12));
   myPasswordService.setVerifier(std::move(verifier));
   myPasswordService.setPasswordThrottle(std::make_unique<Wt::Auth::AuthThrottle>());
 

diff --git a/test/auth/BCryptTest.C b/test/auth/BCryptTest.C
@@ -15,25 +15,29 @@ using namespace Wt;
 
 BOOST_AUTO_TEST_CASE( bcrypt_test )
 {
-  Auth::BCryptHashFunction f(7);
+  for (int i = 0; i < 11; i++) {
+    int numIt = 5+i;
+    Auth::BCryptHashFunction f(numIt);
 
-  std::string msg = "secret";
-  std::string salt = WRandom::generateId();
+    std::string msg = "secret";
+    std::string salt = WRandom::generateId();
 
-  std::string hash = f.compute(msg, salt);
+    std::string hash = f.compute(msg, salt);
 
-  std::cerr << "bcrypted password: " << hash << std::endl;
+    std::cerr << "bcrypted password: " << hash << std::endl;
 
-  std::chrono::system_clock::time_point
-    start = std::chrono::system_clock::now();
+    std::chrono::system_clock::time_point
+      start = std::chrono::system_clock::now();
 
-  BOOST_REQUIRE(f.verify(msg, salt, hash));
+    BOOST_REQUIRE(f.verify(msg, salt, hash));
 
-  std::chrono::system_clock::time_point
-    end = std::chrono::system_clock::now();
+    std::chrono::system_clock::time_point
+      end = std::chrono::system_clock::now();
 
-  double ms = (double)std::chrono::duration_cast<std::chrono::microseconds>(end - start).count() / 1000;
+    double ms = (double)std::chrono::duration_cast<std::chrono::microseconds>(end - start).count() / 1000;
 
-  std::cerr << "verify() took: " << ms
-            << "ms" << std::endl;
+    std::cerr << "with " << std::to_string(numIt)
+              <<" iterations, verify() took: " << ms
+              << "ms" << std::endl;
+  }
 }
diff --git a/test/dbo/AuthDboTest.C b/test/dbo/AuthDboTest.C
@@ -54,7 +54,7 @@ struct AuthDboFixture : DboFixtureBase
 
     std::unique_ptr<Auth::PasswordVerifier> verifier
       (new Auth::PasswordVerifier());
-    verifier->addHashFunction(std::make_unique<Auth::BCryptHashFunction>(7));
+    verifier->addHashFunction(std::make_unique<Auth::BCryptHashFunction>(12));
     myPasswordService_->setVerifier(std::move(verifier));
 
     session_->mapClass<TestUser>(tablenames[0]);