Commit 8cf75b4e by Stephan Eicher Committed by Sofia Papagiannaki

pkg/util: Replace custom pbkdf2 implementation by maintained version (#19941)

parent 31e7e35b
......@@ -67,6 +67,7 @@ require (
github.com/yudai/golcs v0.0.0-20170316035057-ecda9a501e82 // indirect
github.com/yudai/pp v2.0.1+incompatible // indirect
go.uber.org/atomic v1.3.2 // indirect
golang.org/x/crypto v0.0.0-20190701094942-4def268fd1a4
golang.org/x/net v0.0.0-20190724013045-ca1201d0de80
golang.org/x/oauth2 v0.0.0-20190319182350-c85d3e98c914
golang.org/x/sync v0.0.0-20190423024810-112230192c58
......
package util
import (
"crypto/hmac"
"crypto/rand"
"crypto/sha256"
"encoding/base64"
"encoding/hex"
"errors"
"hash"
"golang.org/x/crypto/pbkdf2"
"strings"
)
......@@ -32,60 +31,10 @@ func GetRandomString(n int, alphabets ...byte) (string, error) {
// EncodePassword encodes a password using PBKDF2.
func EncodePassword(password string, salt string) (string, error) {
newPasswd, err := PBKDF2([]byte(password), []byte(salt), 10000, 50, sha256.New)
if err != nil {
return "", err
}
newPasswd := pbkdf2.Key([]byte(password), []byte(salt), 10000, 50, sha256.New)
return hex.EncodeToString(newPasswd), nil
}
// PBKDF2 implements Password-Based Key Derivation Function 2), aimed to reduce
// the vulnerability of encrypted keys to brute force attacks.
// http://code.google.com/p/go/source/browse/pbkdf2/pbkdf2.go?repo=crypto
func PBKDF2(password, salt []byte, iter, keyLen int, h func() hash.Hash) ([]byte, error) {
prf := hmac.New(h, password)
hashLen := prf.Size()
numBlocks := (keyLen + hashLen - 1) / hashLen
var buf [4]byte
dk := make([]byte, 0, numBlocks*hashLen)
U := make([]byte, hashLen)
for block := 1; block <= numBlocks; block++ {
// N.B.: || means concatenation, ^ means XOR
// for each block T_i = U_1 ^ U_2 ^ ... ^ U_iter
// U_1 = PRF(password, salt || uint(i))
prf.Reset()
if _, err := prf.Write(salt); err != nil {
return nil, err
}
buf[0] = byte(block >> 24)
buf[1] = byte(block >> 16)
buf[2] = byte(block >> 8)
buf[3] = byte(block)
if _, err := prf.Write(buf[:4]); err != nil {
return nil, err
}
dk = prf.Sum(dk)
T := dk[len(dk)-hashLen:]
copy(U, T)
// U_n = PRF(password, U_(n-1))
for n := 2; n <= iter; n++ {
prf.Reset()
if _, err := prf.Write(U); err != nil {
return nil, err
}
U = U[:0]
U = prf.Sum(U)
for x := range U {
T[x] ^= U[x]
}
}
}
return dk[:keyLen], nil
}
// GetBasicAuthHeader returns a base64 encoded string from user and password.
func GetBasicAuthHeader(user string, password string) string {
var userAndPass = user + ":" + password
......
......@@ -6,6 +6,7 @@ import (
"crypto/rand"
"crypto/sha256"
"errors"
"golang.org/x/crypto/pbkdf2"
"io"
)
......@@ -73,5 +74,5 @@ func Encrypt(payload []byte, secret string) ([]byte, error) {
// Key needs to be 32bytes
func encryptionKeyToBytes(secret, salt string) ([]byte, error) {
return PBKDF2([]byte(secret), []byte(salt), 10000, 32, sha256.New)
return pbkdf2.Key([]byte(secret), []byte(salt), 10000, 32, sha256.New), nil
}
Markdown is supported
0% or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment