pkg/util: Replace custom pbkdf2 implementation by maintained version (#19941)

8cf75b4e · Stephan Eicher · Sofia Papagiannaki · 31e7e35b · 8cf75b4e · 8cf75b4e
Commit 8cf75b4e authored Nov 06, 2019 by Stephan Eicher Committed by Sofia Papagiannaki Nov 06, 2019
Hide whitespace changes
Inline Side-by-side

Showing with 5 additions and 54 deletions

go.mod
+1 -0

pkg/util/encoding.go
+2 -53

pkg/util/encryption.go
+2 -1

No files found.
--- a/go.mod
+++ b/go.mod
@@ -67,6 +67,7 @@ require (
 	github.com/yudai/golcs v0.0.0-20170316035057-ecda9a501e82 // indirect
 	github.com/yudai/pp v2.0.1+incompatible // indirect
 	go.uber.org/atomic v1.3.2 // indirect
+	golang.org/x/crypto v0.0.0-20190701094942-4def268fd1a4
 	golang.org/x/net v0.0.0-20190724013045-ca1201d0de80
 	golang.org/x/oauth2 v0.0.0-20190319182350-c85d3e98c914
 	golang.org/x/sync v0.0.0-20190423024810-112230192c58

--- a/pkg/util/encoding.go
+++ b/pkg/util/encoding.go
 package util

 import (
-	"crypto/hmac"
 	"crypto/rand"
 	"crypto/sha256"
 	"encoding/base64"
 	"encoding/hex"
 	"errors"
-	"hash"
+	"golang.org/x/crypto/pbkdf2"
 	"strings"
 )

@@ -32,60 +31,10 @@ func GetRandomString(n int, alphabets ...byte) (string, error) {

 // EncodePassword encodes a password using PBKDF2.
 func EncodePassword(password string, salt string) (string, error) {
-	newPasswd, err := PBKDF2([]byte(password), []byte(salt), 10000, 50, sha256.New)
-	if err != nil {
-		return "", err
-	}
+	newPasswd := pbkdf2.Key([]byte(password), []byte(salt), 10000, 50, sha256.New)
 	return hex.EncodeToString(newPasswd), nil
 }

-// PBKDF2 implements Password-Based Key Derivation Function 2), aimed to reduce
-// the vulnerability of encrypted keys to brute force attacks.
-// http://code.google.com/p/go/source/browse/pbkdf2/pbkdf2.go?repo=crypto
-func PBKDF2(password, salt []byte, iter, keyLen int, h func() hash.Hash) ([]byte, error) {
-	prf := hmac.New(h, password)
-	hashLen := prf.Size()
-	numBlocks := (keyLen + hashLen - 1) / hashLen
-
-	var buf [4]byte
-	dk := make([]byte, 0, numBlocks*hashLen)
-	U := make([]byte, hashLen)
-	for block := 1; block <= numBlocks; block++ {
-		// N.B.: || means concatenation, ^ means XOR
-		// for each block T_i = U_1 ^ U_2 ^ ... ^ U_iter
-		// U_1 = PRF(password, salt || uint(i))
-		prf.Reset()
-		if _, err := prf.Write(salt); err != nil {
-			return nil, err
-		}
-		buf[0] = byte(block >> 24)
-		buf[1] = byte(block >> 16)
-		buf[2] = byte(block >> 8)
-		buf[3] = byte(block)
-		if _, err := prf.Write(buf[:4]); err != nil {
-			return nil, err
-		}
-
-		dk = prf.Sum(dk)
-		T := dk[len(dk)-hashLen:]
-		copy(U, T)
-
-		// U_n = PRF(password, U_(n-1))
-		for n := 2; n <= iter; n++ {
-			prf.Reset()
-			if _, err := prf.Write(U); err != nil {
-				return nil, err
-			}
-			U = U[:0]
-			U = prf.Sum(U)
-			for x := range U {
-				T[x] ^= U[x]
-			}
-		}
-	}
-	return dk[:keyLen], nil
-}
-
 // GetBasicAuthHeader returns a base64 encoded string from user and password.
 func GetBasicAuthHeader(user string, password string) string {
 	var userAndPass = user + ":" + password

--- a/pkg/util/encryption.go
+++ b/pkg/util/encryption.go
@@ -6,6 +6,7 @@ import (
 	"crypto/rand"
 	"crypto/sha256"
 	"errors"
+	"golang.org/x/crypto/pbkdf2"
 	"io"
 )

@@ -73,5 +74,5 @@ func Encrypt(payload []byte, secret string) ([]byte, error) {

 // Key needs to be 32bytes
 func encryptionKeyToBytes(secret, salt string) ([]byte, error) {
-	return PBKDF2([]byte(secret), []byte(salt), 10000, 32, sha256.New)
+	return pbkdf2.Key([]byte(secret), []byte(salt), 10000, 32, sha256.New), nil
 }