Password hashing functions for RabbitMq 3.13.7

[ElenaShlykova]

Community Support Policy

• I have read RabbitMQ's Community Support Policy
• I agree to provide all relevant information (versions, logs, rabbitmq-diagnostics output, detailed reproduction steps)

RabbitMQ version used

3.13.7 or older

Erlang version used

26.2.x

Operating system (distribution) used

Windows Server 2019

How is RabbitMQ deployed?

Windows installer

What problem are you trying to solve?

Our cybersecurity team raised a question about how credentials and passwords are stored in the rabbitmq 3.13.7.
As per doucmentation we found the SHA256 is used by default: https://www.rabbitmq.com/docs/3.13/passwords
However we did not found defailts if a salt is provided? If so, how is randomness ensured?

We would be grateful for the details provided.

[lukebakken]

However we did not found defailts if a salt is provided? If so, how is randomness ensured?

It is clearly documented on our website:

https://www.rabbitmq.com/docs/passwords#this-is-the-algorithm

RabbitMQ is open-source, and you have the ability to see exactly how passwords are dealt with:

https://github.com/search?q=repo%3Arabbitmq%2Frabbitmq-server+Salt&type=code

rabbitmq-server/deps/rabbit_common/src/rabbit_password.erl

Lines 27 to 29 in 047cc5a

	generate_salt() ->
	Salt = rand:uniform(16#ffffffff),
	<<Salt:32>>.

https://www.erlang.org/doc/apps/stdlib/rand.html#uniform/1

If you need to see how rand:uniform/1 is implemented in Erlang:

https://github.com/search?q=repo%3Aerlang%2Fotp%20uniform&type=code

https://github.com/erlang/otp/blob/master/lib/crypto/c_src/rand.c#L85-L135