Use secure scrypt salted hashing instead of SHA-256. (NLnetLabs/krill#382) (#98)

Author: ximon18

package-lock.json

@@ -24,6 +24,7 @@
     "ip6addr": "^0.2.3",
     "moment": "^2.27.0",
     "prismjs": "^1.21.0",
+    "scryptsy": "^2.1.0",
     "typeface-lato": "^0.0.54",
     "typeface-source-code-pro": "^0.0.71",
     "vue": "^2.5.21",

package.json

@@ -68,7 +68,7 @@
 </template>
 
 <script>
-import sha256 from "crypto-js/sha256";
+import scrypt from "scryptsy";
 import router from "../router";
 import APIService from "@/services/APIService.js";
 
@@ -189,9 +189,14 @@ export default {
         // Send a hash of the password to avoid storing a password on the server
         // that (shouldn't be but) might be the same password the user uses for
         // other systems.
-        let hashedPassword = sha256(this.form.token);
+        const cost_level = 13;
+        const N = Math.pow(2, cost_level), r = 8, p = 1, dkLen = 32;
+        let salt = "krill-lagosta-" + this.form.id;
+        let pwBuf = this.form.token.normalize('NFKC');
+        let saltBuf = salt.normalize('NFKC');
+        let hashedPassword = scrypt(pwBuf, saltBuf, N, r, p, dkLen).toString('hex');
         APIService.login(hashedPassword, this.form.id).then((success) => {
-          this.postLogin(success);
+          this.postLogin(success)
         });
       } else {
         // Handle admin token based login

src/views/Login.vue

@@ -7825,6 +7825,11 @@ schema-utils@^1.0.0:
     ajv-errors "^1.0.0"
     ajv-keywords "^3.1.0"
 
+scrypt-js@^3.0.1:
+  version "3.0.1"
+  resolved "https://registry.yarnpkg.com/scrypt-js/-/scrypt-js-3.0.1.tgz#d314a57c2aef69d1ad98a138a21fe9eafa9ee312"
+  integrity sha512-cdwTTnqPu0Hyvf5in5asVdZocVDTNRmR7XEcJuIzMjJeSHybHl7vpB66AzwTaIg6CLSbtjcxc8fqcySfnTkccA==
+
 scss-tokenizer@^0.2.3:
   version "0.2.3"
   resolved "https://registry.yarnpkg.com/scss-tokenizer/-/scss-tokenizer-0.2.3.tgz#8eb06db9a9723333824d3f5530641149847ce5d1"