fix(NODE-7107): Use of password hash with insufficient computational effort

[kreeksec]

fix the problem, we should replace the use of MD5 in the passwordDigest function with a more secure password hashing scheme, such as PBKDF2. PBKDF2 is available in Node's crypto module and is suitable for password hashing due to its configurable computational cost. The fix involves updating the passwordDigest function to use crypto.pbkdf2Sync with a reasonable number of iterations (e.g., 100,000), a salt (which can be derived from the username or generated randomly), and a secure hash algorithm (e.g., sha256). The output should be encoded in hexadecimal to match the previous format. We will need to add the necessary logic to generate or use a salt, and update the function accordingly. All changes are confined to the src/cmap/auth/scram.ts file, specifically the passwordDigest function.

Double check the following

• Ran npm run check:lint script
• Self-review completed using the steps outlined here
• PR title follows the correct format: type(NODE-xxxx)[!]: description
  • Example: feat(NODE-1234)!: rewriting everything in coffeescript
• Changes are covered by tests
• New TODOs have a related JIRA ticket

[baileympearson]

Hi @ptrgits , thanks for the contribution.

The behavior of scram-sha-1 authentication is defined in the MongoDB specifications. As such, we cannot change the implementation to use a new hashing algorithm.