Move OAuth Token Hashing from PBKDF2 to SHA512

Problem Statement

OAuth access tokens are currently hashed using PBKDF2-SHA512 with empty salts for database storage and lookup. This approach causes authentication failures in Ubuntu 22.04 FIPS environments where OpenSSL enforces minimum salt length requirements for PBKDF2 hashes to comply with SP800-132 5.1.

The current implementation in lib/gitlab/doorkeeper_secret_storing/token/pbkdf2_sha512.rb uses a null salt, which is rejected by FIPS-compliant OpenSSL, preventing Git operations using OAuth tokens.

Root Cause

  • FIPS-compliant OpenSSL from Canonical enforces minimum 16-byte salt length for PBKDF2
  • Current implementation uses empty salt ('') for deterministic hashing to enable database lookups
  • This prevents cloning/pushing using OAuth token authentication in Ubuntu 22.04 FIPS environments

Proposed Solution

Migrate OAuth token hashing from PBKDF2-SHA512 to SHA512 based on the following analysis:

Why SHA512 is Appropriate

  1. Token Characteristics: OAuth tokens are generated using SecureRandom.urlsafe_base64(32), providing 256 bits of entropy
  2. Short Lifecycle: OAuth access tokens expire in 2 hours with automatic rotation
  3. FIPS Compliance: SHA512 is FIPS 140-3 compliant for this use case
  4. Performance: SHA512 is ~10,000x faster than PBKDF2 for token lookups
  5. Security Assessment: FedRAMP and Data Security teams confirmed PBKDF2 is unnecessary for application-generated cryptographically random tokens

Implementation Plan

  1. Update Token Hashing Strategy

    • Replace ::Gitlab::DoorkeeperSecretStoring::Token::Pbkdf2Sha512 with SHA512 implementation
    • Update token lookup logic to use SHA512 hashing

  2. Backward Compatibility

    • Implement fallback mechanism to try both SHA512 and PBKDF2 during token lookup
    • Ensure existing tokens continue to work during migration period

  3. Migration Strategy

    • New tokens will be hashed using SHA512
    • Existing PBKDF2-hashed tokens will be supported via fallback lookup
    • Gradual migration as tokens naturally expire and rotate (2-hour expiration)

Acceptance Criteria

  • OAuth token authentication works in Ubuntu 22.04 FIPS environments
  • New tokens are hashed using SHA512
  • Existing PBKDF2-hashed tokens continue to work via fallback
  • FIPS compliance is maintained
  • No breaking changes for existing OAuth applications

Technical Notes

Current configuration in config/initializers/doorkeeper.rb:

hash_token_secrets using: '::Gitlab::DoorkeeperSecretStoring::Token::Pbkdf2Sha512', fallback: :plain

Should be updated to:

hash_token_secrets using: '::Gitlab::DoorkeeperSecretStoring::Token::Sha512', fallback: '::Gitlab::DoorkeeperSecretStoring::Token::Pbkdf2Sha512'

Original issue: Password/PAT authentication fails in Ubuntu 22.... (#548736 - closed)

Edited by 🤖 GitLab Bot 🤖