5623: Installer does not actually determine a good ratchet default despite language string saying so - Composr CMS feature tracker

ID	Project	Category	View Status	Date Submitted	Last Update

5623	Composr	setupwizard	public	2024-02-23 20:17	2024-04-14 18:30

Reporter	PDStig	Assigned To	PDStig
Priority	normal	Severity	trivial
Status	resolved	Resolution	fixed
Product Version	11.alpha1
Fixed in Version	10.0.46

Summary	5623: Installer does not actually determine a good ratchet default despite language string saying so
Description	CONFIG_OPTION_crypt_ratchet says "A sensible default is auto-detected at installation but should be very conservatively raised over the years...". But we don't actually set a default during installation. Implement a quick script to run during install to set it to a reasonable ratchet (if the password_hash function exists). We should target about 0.1 seconds processing time. Also port to v11. However, in v11, it should run on setup wizard instead of install; security profile should dictate how long the processing time should be. E.g. minimal security would be about 0.025 seconds. Medium would be 0.1 seconds. Maximum would be 0.25 seconds.
Tags	Roadmap: v11
Attach Tags	(Separate by ",")
Attached Files

Time estimation (hours)
Sponsorship open

Date Added	Member	Amount Sponsored

admin 2024-02-23 20:56 administrator ~8345	Automated response: Installer does not actually determine a good ratchet default despite language string saying so CONFIG_OPTION_crypt_ratchet says "A sensible default is auto-detected at installation but should be very conservatively raised over the years...". But we don't actually set a default during installation. This has been implemented as step 6 of the installation process (before installing the forums). A new API was added in crypt, "calculate_reasonable_ratchet". This is for version 10 only.

admin 2024-02-23 20:56 administrator ~8346	Fixed in git commit 432de62d4f (https://gitlab.com/composr-foundation/composr/commit/432de62d4f - link will become active once code pushed to GitLab) A hotfix (a TAR of files to upload) has been uploaded to this issue. These files are made to the latest intra-version state (i.e. may roll in earlier fixes too if made to the same files) - so only upload files newer than what you have already. If there are files in a hot-fix that you don't have then they probably relate to addons that you don't have installed and should be skipped. Always take backups of files you are replacing or keep a copy of the manual installer for your version, and only apply fixes you need. These hotfixes are not necessarily reliable or well supported. Not sure how to extract TAR files to your Windows computer? Try 7-zip (http://www.7-zip.org/). hotfix-5623, 2024-02-23 8pm.tar (186,880 bytes)

PDStig 2024-02-23 21:08 administrator ~8347 Last edited: 2024-02-23 21:08	Actually an addendum to ratchet times for v11: Minimal: About 0.025 seconds Low: About 0.05 seconds Medium: About 0.1 seconds High: About 0.25 seconds Very high: About 1 second

admin 2024-04-14 18:30 administrator ~8587	Automated response: Installer does not actually determine a good ratchet default despite language string saying so This hotfix is for v11 where the Setup Wizard now has 5 security levels (from minimum to ultra high) and will calculate a cryptographic ratchet based on security level and relevant computational time.

admin 2024-04-14 18:30 administrator ~8588	Fixed in Git commit 170eb17b33 (https://gitlab.com/composr-foundation/composr/commit/170eb17b33 - link will become active once code pushed to GitLab) hotfix-5623, 2024-04-14 6pm.tar (182,272 bytes)

admin 2024-04-14 18:30 administrator ~8589	A hotfix (a TAR of files to upload) has been uploaded to this issue. These files are made to the latest intra-version state (i.e. may roll in earlier fixes too if made to the same files) - so only upload files newer than what you have already. If there are files in a hot-fix that you don't have then they probably relate to addons that you don't have installed and should be skipped. Always take backups of files you are replacing or keep a copy of the manual installer for your version, and only apply fixes you need. These hotfixes are not necessarily reliable or well supported. Not sure how to extract TAR files to your Windows computer? Try 7-zip (http://www.7-zip.org/).

Date Modified	Username	Field	Change
2024-02-23 20:17	PDStig	New Issue
2024-02-23 20:17	PDStig	Status	Not Assigned => Assigned
2024-02-23 20:17	PDStig	Assigned To	=> user4172
2024-02-23 20:17	PDStig	Tag Attached: Roadmap: v11
2024-02-23 20:19	PDStig	Description Updated
2024-02-23 21:08	PDStig	Note Added: 0008347
2024-02-23 21:08	PDStig	Note Edited: 0008347