#5623 - Installer does not actually determine a good ratchet default despite language string saying so

By PDStig
Added 23rd Feb 2024, 3:17 PM
6 views

Identifier	#5623
Issue type	Trivial issue (does not break functionality)
Title	Installer does not actually determine a good ratchet default despite language string saying so
Status	Completed
Tags	Roadmap: v11 (custom)
Handling member	PDStig
Version	11 alpha1
Addon	setupwizard
Description	CONFIG_OPTION_crypt_ratchet says "A sensible default is auto-detected at installation but should be very conservatively raised over the years...". But we don't actually set a default during installation. Implement a quick script to run during install to set it to a reasonable ratchet (if the password_hash function exists). We should target about 0.1 seconds processing time. Also port to v11. However, in v11, it should run on setup wizard instead of install; security profile should dictate how long the processing time should be. E.g. minimal security would be about 0.025 seconds. Medium would be 0.1 seconds. Maximum would be 0.25 seconds.
Steps to reproduce
Funded?	No
Commits	Fixed MANTIS-5623 (Installer does not actually determine a good ratchet... (432de62d) · Commits · Composr ecosystem / Composr · GitLab Fixed MANTIS-5623 (Installer does not actually determine a good ratchet... (170eb17b) · Commits · Composr ecosystem / Composr · GitLab

The system will post a comment when this issue is modified (e.g., status changes). To be notified of this, click "Enable comment notifications".

Rating

Unrated

Comments

By Guest posted 23rd Feb 2024, 3:56 PM

Automated response: Installer does not actually determine a good ratchet default despite language string saying so

CONFIG_OPTION_crypt_ratchet says "A sensible default is auto-detected at installation but should be very conservatively raised over the years...". But we don't actually set a default during installation.

This has been implemented as step 6 of the installation process (before installing the forums). A new API was added in crypt, "calculate_reasonable_ratchet".

This is for version 10 only.

By Guest posted 23rd Feb 2024, 4:08 PM

Actually an addendum to ratchet times for v11:
Minimal: About 0.025 seconds
Low: About 0.05 seconds
Medium: About 0.1 seconds
High: About 0.25 seconds
Very high: About 1 second

By Guest posted 14th Apr 2024, 2:30 PM

Automated response: Installer does not actually determine a good ratchet default despite language string saying so

This hotfix is for v11 where the Setup Wizard now has 5 security levels (from minimum to ultra high) and will calculate a cryptographic ratchet based on security level and relevant computational time.

By Guest posted 14th Apr 2024, 2:30 PM

A hotfix (a TAR of files to upload) has been uploaded to this issue. These files are made to the latest intra-version state (i.e. may roll in earlier fixes too if made to the same files) - so only upload files newer than what you have already. If there are files in a hot-fix that you don't have then they probably relate to addons that you don't have installed and should be skipped. Always take backups of files you are replacing or keep a copy of the manual installer for your version, and only apply fixes you need. These hotfixes are not necessarily reliable or well supported. Not sure how to extract TAR files to your Windows computer? Try 7-zip (http://www.7-zip.org/).

#5623 - Installer does not actually determine a good ratchet default despite language string saying so

Rating

Comments

Statistics