1 year ago · 2c6175f62d
--- a/apps/emqx/src/emqx_passwd.erl
+++ b/apps/emqx/src/emqx_passwd.erl
@@ -43,7 +43,7 @@
 
				 -type salt_position() :: disable | prefix | suffix.
			
 
				 -type salt() :: binary().
			
 
				 
			
 
				--type pbkdf2_mac_fun() :: md4 | md5 | ripemd160 | sha | sha224 | sha256 | sha384 | sha512.
			
 
				+-type pbkdf2_mac_fun() :: sha | sha224 | sha256 | sha384 | sha512.
			
 
				 -type pbkdf2_iterations() :: pos_integer().
			
 
				 -type pbkdf2_dk_length() :: pos_integer() | undefined.
			
 
				 
			
@@ -146,9 +146,6 @@ hex(X) when is_binary(X) ->
 
				 
			
 
				 %% @doc default derived key length for PBKDF2, backword compatible with the old implementation in pbkdf2
			
 
				 -spec dk_length(pbkdf2_mac_fun()) -> non_neg_integer().
			
 
				-dk_length(md4) -> 16;
			
 
				-dk_length(md5) -> 16;
			
 
				-dk_length(ripemd160) -> 20;
			
 
				 dk_length(sha) -> 20;
			
 
				 dk_length(sha224) -> 28;
			
 
				 dk_length(sha256) -> 32;
			
@@ -165,7 +162,7 @@ len_match(Alg) ->
 
				 dk_length_test_() ->
			
 
				     [
			
 
				         ?_assert(len_match(Alg))
			
 
				-     || Alg <- [md4, md5, ripemd160, sha, sha224, sha256, sha384, sha512]
			
 
				+     || Alg <- [sha, sha224, sha256, sha384, sha512]
			
 
				     ].
			
 
				 
			
 
				 -endif.
			
--- a/apps/emqx_auth/src/emqx_auth.app.src
+++ b/apps/emqx_auth/src/emqx_auth.app.src
@@ -1,7 +1,7 @@
 
				 %% -*- mode: erlang -*-
			
 
				 {application, emqx_auth, [
			
 
				     {description, "EMQX Authentication and authorization"},
			
 
				-    {vsn, "0.4.2"},
			
 
				+    {vsn, "0.4.3"},
			
 
				     {modules, []},
			
 
				     {registered, [emqx_auth_sup]},
			
 
				     {applications, [
			
--- a/apps/emqx_auth/src/emqx_authn/emqx_authn_password_hashing.erl
+++ b/apps/emqx_auth/src/emqx_authn/emqx_authn_password_hashing.erl
@@ -88,7 +88,11 @@ fields(pbkdf2) ->
 
				         {mac_fun,
			
 
				             sc(
			
 
				                 hoconsc:enum([md4, md5, ripemd160, sha, sha224, sha256, sha384, sha512]),
			
 
				-                #{required => true, desc => "Specifies mac_fun for PBKDF2 hashing algorithm."}
			
 
				+                #{
			
 
				+                    required => true,
			
 
				+                    desc =>
			
 
				+                        "Specifies mac_fun for PBKDF2 hashing algorithm and md4, md5, ripemd160 are no longer supported since 5.8.3"
			
 
				+                }
			
 
				             )},
			
 
				         {iterations,
			
 
				             sc(
			
--- a/changes/ce/fix-14305.en.md
+++ b/changes/ce/fix-14305.en.md
@@ -1,5 +1,6 @@
 
				 Use safer pbkdf2_hmac implementation in following EMQX functions:
			
 
				 
			
 
				 - MongoDB integration
			
 
				-- authn
			
 
				+- authn. Also removes support of md4, md5, ripemd160 as they are not FIPS_DIGEST.
			
 
				+