Reject rounds=0 for SHA1 hashes (#292)

rsgowman · web-flow · commit 98776423abd6 · 2019-11-05T21:25:02.000-05:00
Port of firebase/firebase-admin-node#677
diff --git a/auth/hash/hash.go b/auth/hash/hash.go
@@ -20,6 +20,7 @@ package hash // import "firebase.google.com/go/auth/hash"
 import (
 	"encoding/base64"
 	"errors"
+	"fmt"
 
 	"firebase.google.com/go/internal"
 )
@@ -147,7 +148,7 @@ func (h HMACSHA512) Config() (internal.HashConfig, error) {
 
 // MD5 represents the MD5 hash algorithm.
 //
-// Rounds must be between 0 and 120000.
+// Rounds must be between 0 and 8192.
 // Refer to https://firebase.google.com/docs/auth/admin/import-users#import_users_with_md5_sha_and_pbkdf_hashed_passwords
 // for more details.
 type MD5 struct {
@@ -189,7 +190,7 @@ func (h PBKDFSHA1) Config() (internal.HashConfig, error) {
 
 // SHA1 represents the SHA1 hash algorithm.
 //
-// Rounds must be between 0 and 120000.
+// Rounds must be between 1 and 8192.
 // Refer to https://firebase.google.com/docs/auth/admin/import-users#import_users_with_md5_sha_and_pbkdf_hashed_passwords
 // for more details.
 type SHA1 struct {
@@ -203,7 +204,7 @@ func (h SHA1) Config() (internal.HashConfig, error) {
 
 // SHA256 represents the SHA256 hash algorithm.
 //
-// Rounds must be between 0 and 120000.
+// Rounds must be between 1 and 8192.
 // Refer to https://firebase.google.com/docs/auth/admin/import-users#import_users_with_md5_sha_and_pbkdf_hashed_passwords
 // for more details.
 type SHA256 struct {
@@ -217,7 +218,7 @@ func (h SHA256) Config() (internal.HashConfig, error) {
 
 // SHA512 represents the SHA512 hash algorithm.
 //
-// Rounds must be between 0 and 120000.
+// Rounds must be between 1 and 8192.
 // Refer to https://firebase.google.com/docs/auth/admin/import-users#import_users_with_md5_sha_and_pbkdf_hashed_passwords
 // for more details.
 type SHA512 struct {
@@ -240,8 +241,17 @@ func hmacConfig(name string, key []byte) (internal.HashConfig, error) {
 }
 
 func basicConfig(name string, rounds int) (internal.HashConfig, error) {
-	if rounds < 0 || rounds > 120000 {
-		return nil, errors.New("rounds must be between 0 and 120000")
+	minRounds := 0
+	maxRounds := 120000
+	switch name {
+	case "MD5":
+		maxRounds = 8192
+	case "SHA1", "SHA256", "SHA512":
+		minRounds = 1
+		maxRounds = 8192
+	}
+	if rounds < minRounds || maxRounds < rounds {
+		return nil, fmt.Errorf("rounds must be between %d and %d", minRounds, maxRounds)
 	}
 	return internal.HashConfig{
 		"hashAlgorithm": name,
diff --git a/auth/hash/hash_test.go b/auth/hash/hash_test.go
@@ -95,45 +95,87 @@ var validHashes = []struct {
 		},
 	},
 	{
-		alg: MD5{42},
+		alg: MD5{0},
 		want: internal.HashConfig{
 			"hashAlgorithm": "MD5",
-			"rounds":        42,
+			"rounds":        0,
 		},
 	},
 	{
-		alg: SHA1{42},
+		alg: MD5{8192},
+		want: internal.HashConfig{
+			"hashAlgorithm": "MD5",
+			"rounds":        8192,
+		},
+	},
+	{
+		alg: SHA1{1},
 		want: internal.HashConfig{
 			"hashAlgorithm": "SHA1",
-			"rounds":        42,
+			"rounds":        1,
+		},
+	},
+	{
+		alg: SHA1{8192},
+		want: internal.HashConfig{
+			"hashAlgorithm": "SHA1",
+			"rounds":        8192,
+		},
+	},
+	{
+		alg: SHA256{1},
+		want: internal.HashConfig{
+			"hashAlgorithm": "SHA256",
+			"rounds":        1,
 		},
 	},
 	{
-		alg: SHA256{42},
+		alg: SHA256{8192},
 		want: internal.HashConfig{
 			"hashAlgorithm": "SHA256",
-			"rounds":        42,
+			"rounds":        8192,
 		},
 	},
 	{
-		alg: SHA512{42},
+		alg: SHA512{1},
 		want: internal.HashConfig{
 			"hashAlgorithm": "SHA512",
-			"rounds":        42,
+			"rounds":        1,
 		},
 	},
 	{
-		alg: PBKDFSHA1{42},
+		alg: SHA512{8192},
+		want: internal.HashConfig{
+			"hashAlgorithm": "SHA512",
+			"rounds":        8192,
+		},
+	},
+	{
+		alg: PBKDFSHA1{0},
 		want: internal.HashConfig{
 			"hashAlgorithm": "PBKDF_SHA1",
-			"rounds":        42,
+			"rounds":        0,
+		},
+	},
+	{
+		alg: PBKDFSHA1{120000},
+		want: internal.HashConfig{
+			"hashAlgorithm": "PBKDF_SHA1",
+			"rounds":        120000,
+		},
+	},
+	{
+		alg: PBKDF2SHA256{0},
+		want: internal.HashConfig{
+			"hashAlgorithm": "PBKDF2_SHA256",
+			"rounds":        0,
 		},
 	},
 	{
-		alg: PBKDF2SHA256{42},
+		alg: PBKDF2SHA256{120000},
 		want: internal.HashConfig{
 			"hashAlgorithm": "PBKDF2_SHA256",
-			"rounds":        42,
+			"rounds":        120000,
 		},
 	},
 }
@@ -206,15 +248,15 @@ var invalidHashes = []struct {
 	},
 	{
 		name: "SHA1: rounds too low",
-		alg:  SHA1{-1},
+		alg:  SHA1{0},
 	},
 	{
 		name: "SHA256: rounds too low",
-		alg:  SHA256{-1},
+		alg:  SHA256{0},
 	},
 	{
 		name: "SHA512: rounds too low",
-		alg:  SHA512{-1},
+		alg:  SHA512{0},
 	},
 	{
 		name: "PBKDFSHA1: rounds too low",
@@ -226,19 +268,19 @@ var invalidHashes = []struct {
 	},
 	{
 		name: "MD5: rounds too high",
-		alg:  MD5{120001},
+		alg:  MD5{8193},
 	},
 	{
 		name: "SHA1: rounds too high",
-		alg:  SHA1{120001},
+		alg:  SHA1{8193},
 	},
 	{
 		name: "SHA256: rounds too high",
-		alg:  SHA256{120001},
+		alg:  SHA256{8193},
 	},
 	{
 		name: "SHA512: rounds too high",
-		alg:  SHA512{120001},
+		alg:  SHA512{8193},
 	},
 	{
 		name: "PBKDFSHA1: rounds too high",
