Skip to content
Snippets Groups Projects

upd: flip rehash behavior, convert argon2 into bcrypt

Open S Kopper requested to merge kopper/Sharkey:argon2-rehash into develop

What does this PR do? (Please give us a brief description of what this PR does.)

argon2 is only really used to allow migrations from firefish & forks (& foundkey).

using argon2 for everything prevents seamless migrations to upstream misskey in exchange for a debatable¹² increase in security.

so, let's keep accepting existing argon2 hashes to keep the firefish migration path seamless, but rehash them to bcrypt on login.


¹: https://infosec.exchange/@epixoip/110912922574721750, https://github.com/epixoip/hmac-bcrypt/?tab=readme-ov-file#justification

²: the bcrypt implementation used in misskey doesn't support passwords > 72 bytes, but we cannot do anything about that without breaking compatibility, bringing us back to where we started (upstream; if you're reading this, please consider hmac-bcrypt!)

Contribution Guidelines By submitting this merge request, you agree to follow our Contribution Guidelines

  • I agree to follow this project's Contribution Guidelines
  • I have made sure to test this pull request

Merge request reports

Loading
Loading

Activity

Filter activity
  • Approvals
  • Assignees & reviewers
  • Comments (from bots)
  • Comments (from users)
  • Commits & branches
  • Edits
  • Labels
  • Lock status
  • Mentions
  • Merge request status
  • Tracking
  • Loading
  • Loading
  • Loading
Please register or sign in to reply
Loading